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Chapter 1: About Managing the Proxy SG 



Volume 9: Managing the Blue Coat ProxySG Appliance describes how to monitor 
the ProxySG appliance with SNMP (a brief introduction to Director is 
provided), event logging, or health monitoring. It also describes common 
maintenance and troubleshooting tasks. 

Discussed in this volume: 



a Chapter 2 
a Chapter 3 
a Chapter 4 
a Chapter 5 



"Monitoring the ProxySG" 
"Maintaining the ProxySG" 
"Diagnostics" 

"Statistics" 



Document Conventions 

The following section lists the typographical and Command Line Interface 
(CLI) syntax conventions used in this manual. 



Table 1-1 Document Conventions 



Conventions 


Definition 


Italics 


The first use of a new or Blue Coat-proprietary term. 


Courier font 


Screen output. For example, command line text, file names, and 
Blue Coat Content Policy Language (CPL). 


Courier Italics 


A command line variable that is to be substituted with a literal 
name or value pertaining to the appropriate facet of your 
network system. 


Courier Boldface 


A Blue Coat literal to be entered as shown. 


Arial Boldface 


Screen elements in the Management Console. 


{ } 


One of the parameters enclosed within the braces must be 
supplied 


[ ] 


An optional parameter or parameters. 


1 


Either the parameter before or after the pipe character can or 
must be selected, but not both. 



About Procedures 

Many of the procedures in this volume begin: 

□ Select Configuration > TabName, if you are working in the Management 
Console, or 
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□ From the (config) prompt, if you are working in the command line interface 
(CLI). 

Blue Coat assumes that you are logged into the first page of the Management 
Console or entered into configuration mode in the CLI. 

Illustrations 

To save space, screen shots illustrating a procedure often have the bottom portion 
removed, along with the blank space. 



General 

- Unique name for this ProxySG Appliance: 

Name: | 172 . 16.90.44 - Blue Coat SG200 Series 



r Serial number of the ProxySG Appliance: 

Serial number: 





Preview 


Apply 


Revert 


Help 



Figure 1-1 Configuration > General Tab with Bottom Buttons 



□ Preview: Click this button to view the configuration changes before applying 
the configuration to the ProxySG. To modify your changes, click Close and 
return to the tab whose settings you want to modify. 

□ Apply: Click this button to apply unsaved configuration changes to the 
ProxySG. 

□ Revert: Click this button to revert any unapplied changes to the ProxySG 
configuration. Changes that previously have been applied to the ProxySG are 
not affected. 



□ Help: Click this button to view conceptual and procedural documentation 
about the tab's topic. 



General 

- Unique name for this ProxySG Appliance: 



Name: 



172.16.90.44 - Blue Coat SG200 Series 



- Serial number of the ProxySG Appliance: 

Serial number: 



Figure 1-2 Configuration > General Tab with Bottom Buttons Removed 
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Chapter 2: Monitoring the ProxySG 



This chapter describes the methods you can use to monitor your ProxySG 
appliances, including event logging, SNMP, and health monitoring. A brief 
introduction to Director is also provided. 

Topics in this Chapter: 

□ Section A: "Using Director to Manage ProxySG Systems" on page 10 

□ Section B: "Monitoring the System and Disks" on page 13 

□ Section C: "Setting Up Event Logging and Notification" on page 17 

□ Section D: "Configuring SNMP" on page 23 

□ Section E: "Configuring Health Monitoring" on page 42 
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Section A: Using Director to Manage ProxySG Systems 

Section A: Using Director to Manage ProxySG Systems 

Blue Coat Director allows you to manage multiple ProxySG appliances, 
eliminating the need to configure and control the appliances individually 

Director allows you to configure a ProxySG and then push that configuration out 
to as many appliances as required. Director also allows you to delegate network 
and content control to multiple administrators and distribute user and content 
policy across a Content Delivery Network (CDN). With Director, you can: 

□ Reduce management costs by centrally managing all Blue Coat appliances. 

□ Eliminate the need to manually configure each remote ProxySG. 

□ Recover from system problems with configuration snapshots and recovery. 

Automatically Registering the ProxySG with Director 

You can use the Blue Coat Director registration feature to automatically register 
the ProxySG with a Blue Coat Director, thus enabling that Director to establish a 
secure administrative session with the appliance. During the registration process. 
Director can lock out all other administrative access to the appliance so that all 
configuration changes are controlled and initiated by Director. This is useful if 
you want to control access to the appliance or if you want to ensure that 
appliances receive the same configuration. 

The registration process is fully authenticated; the devices use their Blue Coat 
appliance certificate or a shared secret (a registration password configured on 
Director) to confirm identities before exchanging public keys. If the ProxySG has 
an appliance certificate, that certificate is used to authenticate the ProxySG to 
Director as an SSL client. If the appliance does not have an appliance certificate, 
you must configure a registration secret on Director and specify that secret on the 
ProxySG. Refer to the Blue Coat Director Configuration and Management Guide for 
more information about specifying the shared secret. 



Note: The Blue Coat appliance certificate is an X.509 certificate that contains the 
hardware serial number of a specific ProxySG as the Common Name (CN) in the 
subject field. Refer to the device authentication information in Volume 5: Advanced 
Networking for more information about appliance certificates. 



Director Registration Requirements 

To register the appliance with Director, the SSH Console management service on 
the ProxySG must be enabled. Director registration will fail if the SSH Console 
has been disabled or deleted or if the SSHv2 host key has been deleted. 

Ports 8085 and 8086 are used fo registration from the ProxySG to Director. If 
Director is already in the network, you do not need to open these ports. If you 
have a firewall between the ProxySG and Director and you want to use the 
registration feature, you must open ports 8085 and 8086. 
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Section A: Using Director to Manage ProxySG Systems 

Registering the SG Appliance with Director 

Though usually initiated at startup (with the serial console setup), you can also 
configure Director registration from the Management Console, as described in the 
following procedure. 

To register the appliance with a Director: 

1. Select Maintenance > Director Registration. 




2. In the Director IP address field, enter the Director IP address. 

3. In the Director serial number field, enter the Director serial number or click 
RetrieveS/N from Director. If you retrieve the serial number from the Director, 
verify that the serial number matches the one specified for your Director. 

4. Optional — In the Appliance name field, enter the ProxySG name. 

5. If your appliance does not have an appliance certificate, enter the Director 
shared secret in the Registration password field. 



Note: Refer to the Blue Coat Director Configuration and Management Guide for 
more information about configuring the shared secret. For information about 
appliance certificates, refer to Volume 5: Advanced Networking. 

6. Click Register. 

Related CLI Commands for Director Registration 

SGOS# register-with-director dir_ip_address [appliance_name 
dir_serial_number] 

Setting Up Director and ProxySG Communication 

Director and the ProxySG use SSHv2 as the default communication mode. SSHvl 
is not supported. 

For Director to successfully manage multiple appliances, it must be able to 
communicate with an appliance using SSH/RSA and the Director's public key 
must be configured on each system that Director manages. 
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Section A: Using Director to Manage ProxySG Systems 

When doing initial setup of the ProxySG from Director, Director connects to the 
appliance using the authentication method established on the device: SSH with 
simple authentication or SSH/RSA. SSH/RSA is preferred, and must also be set 
up on Director before connecting to the ProxySG. 

Director can create an RSA keypair for a ProxySG to allow connections. However, 
for full functionality. Director's public key must be configured on each appliance. 
You can configure the key on the system using the following two methods: 

□ Use Director to create and push the key. 

□ Use the import-director-client-key CLI command from the ProxySG. 

Using Director to create and push client keys is the recommended method. The 
CLI command is provided for reference. 

Complete the following steps to put Director's public key on the ProxySG using 
the CLI of the appliance. You must complete this procedure from the CLI. The 
Management Console is not available. 



Note: For information on creating and pushing a SSH keypair on Director, refer 
to the Blue Coat Director Installation Guide. 



Log in to the ProxySG you want to manage from Director. 

1. From the (config) prompt, enter the ssh-console submode: 

SGOS# (config) ssh-console 
SGOS# (config ssh-console) 

2. Import Director's key that was previously created on Director and copied to 
the clipboard. 



Important: You must add the Director identification at the end of the client 
key. The example shows the username, IP address, and MAC address of 
Director. Director must be the username, allowing you access to passwords in 
clear text. 



SGOS# (config services ssh-console) inline director-client-key 
Paste client key here, end with "..." (three periods) 

ssh-rsa AAAAB3NzaClyc2EAAAABIwAAAIEAvJIXtlZausE9qrcXem2IK/mC4dY8Cxxol/ 
B8th4KvedFY330By0/pvwcuchPZz+blLETTY/zc3SL7 jdVffqOOKBN/ 
ir4zu7L2XT68ML20RWa9tXFedNmKl/iagI3/QZJ8T8zQM6o7WnBzTvMC/ 
ZElMZZddAE3yPCv9+s2TR/ Ipk=director0 10 .25.36.47-2.00e0.8105.d46b 

ok 

To view the fingerprint of the key: 

SGOS# (config sshd) view director-client-key clientID 
j smith@granite . example . com 

83:C0:0D:57:CC:24:36:09:C3:42:B7:86:35:AC:D6:47 

To delete a key: 

SGOS# (config sshd) delete director-client-key clientID 
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Section B: Monitoring the System and Disks 

Section B: Monitoring the System and Disks 

The System and disks page in the Management Console has the following tabs: 

□ Summary 

Provides configuration information and a general status information about 
the device. 

□ Tasks 

Enables you to perform systems tasks, such as restarting the system and 
clearing the DNS or object cache. See Chapter 3: "Maintaining the ProxySG" 
for information about these tasks. 

□ Environment 

Displays hardware statistics. 

□ Disks 

Displays details about the installed disks and enables you take them offline. 

□ SSL Cards 

Displays details about any installed SSL cards. 

These statistics are also available in the CLI. 



Note: The SG400 appliances do not have an Environment tab. 



System Summary 

The device provides a variety of information on its status. The fields on the 
Summary tab are described below: 

□ Disks Installed — the number of disk drives installed in the device. The Disks tab 
displays the status of each drive. 

□ Memory installed — the amount of RAM installed in the device. 

□ CPUs installed — the number of CPUs installed in the device. 

□ Software image — the version and release number of the device image. 

□ Serial number — the serial number of the machine, if available. 

□ System started — the time and date the device was started. 

□ CPU utilization — the current percent utilization of the device CPU. 

To view the system summary statistics: 

Select Maintenance > System and disks > Summary. 
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Section B: Monitoring the System and Disks 



Summary Tasks | Environment | Disks 1-2 | SSL Cards 

- Configuration 

Disks installed: 1 

Memory installed: 51 2 megabytes 
CPUs installed: 1 

Software image: |sGOS 5.1 .3.5, Release id: 27752 Debug 
Serial number: 4505060020 



- General Status 

System started: 2006-1 2-20 20: 1 5: 46+00: 00UTC 
CPU utilization: 1 percent 



Viewing System Environment Sensors 

The icons on the Environment tab are green when the related hardware 
environment is within acceptable parameters, and red when an out-of-tolerance 
condition exists. If an icon is red, click View Sensors to view detailed sensor 
statistics to learn more about the out-of-tolerance condition. 



Note: The health monitoring metrics on the Statistics > Health page also show the 
state of environmental sensors. See Section E: "Configuring Health Monitoring" 
on page 42 for more information. 

You cannot view environment statistics on an SG400 appliance. 



To view the system environment statistics: 

1. Select Maintenance > System and disks > Environment. 



Note: This tab varies depending on the type of ProxySG that you are using. 



Summary | Tasks Environment j Disks 1-2 | SSL Cards 

- Temperature 



o 



2. Click View Sensors to see detailed sensor values; close the window when you 
are finished. 
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Section B: Monitoring the System and Disks 



Sensor statistics 



Sensor Name Rea dins 


Status 


MB Temperature 31.0 C 


OK 


CPU Temperature 31.0 C 


OK 



Viewing Disk Status 

You can view the status of each of the disks in the system and take a disk offline if 
needed. 

To view disk status or take a disk offline: 

1. Select Maintenance > System and disks > Disks 1-2. 

The default view provides information about the disk in slot 1. 



Note: The name and appearance of this tab differs, depending on the range 
of disks available to the ProxySG model you use. 



Summary | Tasks | Environment Disks 1-2 | SSL Cards | 

r Disk in slot 1 



Vendor: SEAGATE Product: ST340014A 

Revision: 8.54 Disk SN: 5JVQ76VS 

Capacity: 40.02 gigabytes Status: PRESENT 



Take diski offline 



2. Select the disk to view or to take offline by clicking the appropriate disk icon. 

3. (Optional) To take the selected disk offline, click the Take disk X offline button 
(where x is the number of the disk you have selected); click OK in the Take 
disk offline dialog that displays. 
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Section B: Monitoring the System and Disks 

Viewing SSL Accelerator Card Information 

Selecting the Maintenance > System and disks > SSL Cards tab allows you to view 
information about any SSL accelerator cards in the system. If no accelerator cards 
are installed, that information is stated on the pane. 

To view SSL accelerator cards: 



Note: You cannot view statistics about SSL accelerator cards through the 
CLI. 



□ Select Maintenance > System and disks > SSL Cards. 



Summary | Tasks Environment j Disks 1-2 SSI Cards 

SSL Accelerators 

Internal: Cavium CN501 Security Processor 
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Section C: Setting Up Event Logging and Notification 

Section C: Setting Up Event Logging and Notification 

You can configure the ProxySG to log system events as they occur. Event logging 
allows you to specify the types of system events logged, the size of the event log, 
and to configure Syslog monitoring. The appliance can also notify you by e-mail if 
an event is logged. 

Configuring Which Events to Log 

The event level options are listed from the most to least important events. Because 
each event requires some disk space, setting the event logging to log all events 
fills the event log more quickly. 

To set the event logging level: 

1. Select Maintenance > Event Logging > Level. 

Level Size j Mail j Syslog 

r Event logging level: 

0 Severe errors 
0 Configuration events 
0 Policy messages 
0 Informational 
|~1 Verbose 

2. Select the events you want to log. 

When you select an event level, all levels above the selection are included. For 
example, if you select Verbose, all event levels are included. 

3. Click Apply. 

Related CLI Commands for Setting the Event Logging Level 

SGOS# (config event-log) level {severe | configuration | policy | 
informational | verbose} 



Table 2-1 Event Logging Level Options 



severe 


Writes only severe error messages to the event log. 


configuration 


Writes severe and configuration change error messages to the 
event log. 


policy 


Writes severe, configuration change, and policy event error 
messages to the event log. 


informational 


Writes severe, configuration change, policy event, and information 
error messages to the event log. 


verbose 


Writes all error messages to the event log. 
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Section C: Setting Up Event Logging and Notification 

Setting Event Log Size 

You can limit the size of the appliances's event log and specify what the appliance 
should do if the log size limit is reached. 

To set event log size: 

1. Select Maintenance > Event Logging > Size. 

Level Size Mail | Syslog 

r Event log size: 

Limit event log to | 1 0 [ megabytes of disk space 



r When event log reaches maximum size: 

® Overwrite earlier events 
O Stop logging new events 

2. In the Event log size field, enter the maximum size of the event log in 
megabytes. 

3. Select either Overwrite earlier events or Stop logging new events to specify the 
desired behavior when the event log reaches maximum size. 

4. Click Apply. 

Related CLI Commands to Set the Event Log Size 

SSGOS# (config event-log) log-size megabytes 

SGOS# (config event-log) when-full {overwrite | stop} 

Enabling Event Notification 

The ProxySG can send event notifications to Internet e-mail addresses using 
SMTP. You can also send event notifications directly to Blue Coat for support 
purposes. For information on configuring diagnostic reporting, see Chapter 4: 
"Diagnostics". 



Note: The ProxySG must know the host name or IP address of your SMTP mail 
gateway to mail event messages to the e-mail address(es) you have entered. If you 
do not have access to an SMTP gateway, you can use the Blue Coat default SMTP 
gateway to send event messages directly to Blue Coat. 

The Blue Coat SMTP gateway only sends mail to Blue Coat. It will not forward 
mail to other domains. 



To enable event notifications: 

1. Select Maintenance > Event Logging > Mail. 
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Section C: Setting Up Event Logging and Notification 




2. Click New to add a new e-mail address; click OK in the Add list item dialog that 
appears. 

3. In the SMTP gateway name field, enter the host name of your mail server; or in 
the SMTP gateway IP field, enter the IP address of your mail server. 

4. (Optional) If you want to clear one of the above settings, select the radio 
button of the setting you want to clear. You can clear only one setting at a 
time. 

5. Click Apply. 

Related CLI Commands to Enable Event Notifications 

SGOS# (config event-log) mail add email_address 

Syslog Event Monitoring 

Syslog is an event-monitoring scheme that is especially popular in UNIX 
environments. Sites that use syslog typically have a log host node, which acts as a 
sink (repository) for several devices on the network. You must have a syslog 
daemon operating in your network to use syslog monitoring. The syslog format 

is: Date Time Hostname Event. 

Most clients using syslog have multiple devices sending messages to a single 
syslog daemon. This allows viewing a single chronological event log of all of the 
devices assigned to the syslog daemon. An event on one network device might 
trigger an event on other network devices, which, on occasion, can point out 
faulty equipment. 

To enable syslog monitoring: 

1. Select Maintenance > Event Logging > Syslog. 



19 





Volume 9: Managing the Blue Coat ProxySG Appliance 



Section C: Setting Up Event Logging and Notification 



Level | Size | Mail Syslog 




2. In the Loghost field, enter the domain name or IP address of your loghost 
server. 

3. Select Enable Syslog. 

4. Click Apply. 

Related CLI Commands to Enable Syslog Monitoring 

SGOS# (config event-log) syslog {disable | enable} 

Viewing Event Log Configuration and Content 

You can view the system event log, either in its entirety or selected portions of it. 

Viewing the Event Log Configuration 

You can view the event log configuration, from show or from view in the event-log 
configuration mode. 

To view the event log configuration: 

At the prompt, enter the following command: 

□ From anywhere in the CLI 

SGOS> show event-log configuration 

Settings : 

Event level: severe + configuration + policy + informational 
Event log size: 10 megabytes 

If log reaches maximum size, overwrite earlier events 
Syslog loghost: <none> 

Syslog notification: disabled 
Syslog facility: daemon 
Event recipients : 

SMTP gateway: 

mail . heartbeat . blue coat . com 



-or- 

□ From the (config) prompt: 

SGOS# (config) event-log 

SGOS# (config event-log) view configuration 
Settings : 

Event level: severe + configuration + policy + informational 
Event log size: 10 megabytes 
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If log reaches maximum size, overwrite earlier events 
Syslog loghost: <none> 

Syslog notification: disabled 
Syslog facility: daemon 
Event recipients : 

SMTP gateway: 

mail . heartbeat . blue coat . com 

Viewing the Event Log Contents 

Again, you can view the event log contents from the show command or from the 
event-log configuration mode. 

The syntax for viewing the event log contents is 

SGOS# show event-log 

-or- 

SGOS# (config event-log) view 

[start [YYYY-mm-dd] [HH:MM:SS]] [end [YYYY-mm-dd] [HH:MM:SS]] [regex 
regex | substring string] 

Pressing <Enter> shows the entire event log without filters. 

The order of the filters is unimportant. If start is omitted, the start of the recorded 
event log is used. If end is omitted, the end of the recorded event log is used. 

If the date is omitted in either start or end, it must be omitted in the other one 
(that is, if you supply just times, you must supply just times for both start and 
end, and all times refer to today). The time is interpreted in the current time zone 
of the appliance. 

Understanding the Time Filter 

The entire event log can be displayed, or either a starting date/ time or ending 
date/ time can be specified. A date/ time value is specified using the notation 
([yyyy-mm-dd] [HH:MM:ss] ). Parts of this string can be omitted as follows: 

□ If the date is omitted, today's date is used. 

□ If the time is omitted for the starting time, it is 00:00:00. 

□ If the time is omitted for the ending time, it is 2 3 : 5 9 : 5 9. 

At least one of the date or the time must be provided. The date/ time range is 
inclusive of events that occur at the start time as well as dates that occur at the end 
time. 



Note: If the notation includes a space, such as between the start date and the start 
time, the argument in the CLI should be quoted. 
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Section C: Setting Up Event Logging and Notification 

Understanding the Regex and Substring Filters 

A regular expression can be supplied, and only event log records that match the 
regular expression are considered for display. The regular expression is applied 
to the text of the event log record not including the date and time. It is case- 
sensitive and not anchored. You should quote the regular expression. 

Since regular expressions can be difficult to write properly, you can use a 
substring filter instead to search the text of the event log record, not including the 
date and time. The search is case sensitive. 

Regular expressions use the standard regular expression syntax as defined by 
policy. If both regex and substring are omitted, then all records are assumed to 
match. 

Example 

SGOS# show event-log start "2004-10-22 9:00:00" end "2004-10-22 
9:15:00" 

2004-10-22 09 : 00 : 02+00 : 00UTC "Snapshot sysinf o_stats has fetched / 
sysinfo-stats " 0 2D0006:96 . . /Snapshot_wor ker . cpp : 183 

2004-10-22 09 : 05 : 4 9+00 : 00UTC "NTP: Periodic query of server 
ntp.bluecoat.com, system clock is 0 seconds 682 ms fast compared to NTP 
time. Updated system clock. " 0 90000:1 . . /ntp. cpp: 631 
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Section D: Configuring SNMP 

Simple Network Managment Protocol (SNMP) is used in network management 
systems to monitor network devices for health or status conditions that require 
administrative attention. The ProxySG supports SNMPvl , SNMPv2c, and 
SNMPv3. 

An SNMP managed network consists of the following: 

□ Managed devices — Network nodes that contain an SNMP agent and reside on 
a managed network. 

□ Agents — Software processes that respond to queries using SNMP to provide 
status and statistics about a network node. 

□ Network Management Systems (NMSs) — Each NMS consists of a 
combination of hardware and software used to monitor and administer a 
network. An NMS executes applications that monitor and control managed 
devices. You can have one or more NMSs on any managed network. 

Some typical uses of SNMP include: 

□ Monitoring device uptimes 

□ Providing information about OS versions 

□ Collecting interface information 

□ Measuring network interface throughput 

Typical Scenarios for Configuring and Using SNMP 

The ProxySG provides the capability to configure SNMP for single network 
management systems, a multiple user NMS, and for notification only. 

Single Network Management System (NMS) 

You can select the SNMP versions the ProxySG supports to match the 
configuration of your SNMP manager, as well as select the ports on which SNMP 
listens. In addition, you can use TCP connections instead of UDP connections if 
your management tool supports that. 

Multiple User NMS 

You can configure the ProxySG to work with a sophisticated network 
environment with NMS users that have different access requirements for using 
SNMP than in a single NMS environment. For example, some users might have 
access to particular network components and not to others, due to their areas of 
responsibility. Some users might have access based on gathering statistics, while 
others are interested in network operations. 
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Notification Only 

If you are not using a network manager to interrogate the state of the ProxySG, 
you can configure the ProxySG to provide required traps without any SNMP 
read-write operations. As a result, no ports are defined as listeners for SNMP If 
any or all SNMP listeners in the services are deleted or disabled, you can still 
configure traps and informs to go out. 

About SNMP Traps and Informs 

SNMP agents (software running on a network-connected device) not only listen 
for queries for data, but also can be configured to send traps or informs (alert 
messages) to a network-monitoring device that is configured to receive SNMP 
traps. The only difference between a trap and an inform is that the SNMP 
manager that receives an inform request acknowledges the message with an 
SNMP response; no response is sent for regular traps. 

SNMP traps work with SNMPvl, SNMPv2c, and SNMPv3. SNMP informs work 
with SNMPv2c and SNMPv3 only. 

When you have traps enabled, events that can trigger a trap to be sent include 
such things as hardware failures and elevations or decreases in component 
thresholds. The default SNMP traps and informs include the following standard 
SNMP traps: 

□ coldStart — signifies that the SNMP entity, supporting a notification originator 
application, is reinitializing itself and that its configuration might have been 
altered. This MIB is described in SNMPv2-MIB.txt. 

□ warmStart — signifies that the SNMP entity, supporting a notification 
originator application, is reinitializing itself such that its configuration is 
unaltered. This MIB is described in SNMPv2-MIB.txt. 

□ linkUp — signifies that the SNMP entity, acting in an agent role, has detected 
that the ifOper status object for one of its communication links left the down 
state and transitioned into some other state (but not into the notPresent state). 
This other state is indicated by the included value of ifoperstatus. This MIB 
is described in IF-MIB.txt. 

□ linkDown — signifies that the SNMP entity, acting in an agent role, has 
detected that the ifoperstatus object for one of its communication links is 
about to enter the downstate from some other state (but not from the 
notPresentstate). This other state is indicated by the included value of 
ifoperstatus. This MIB is described in IF-MIB.txt. 

The following traps require additional configuration: 

□ Authentication failure traps first must be enabled. See "Configuring SNMP" 
on page 30. 

□ The attack trap occurs if attack detection is set up. See Volume 5, Advanced 
Networking, Chapter 3: Attack Detection. 
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□ The disk/ sensor traps are driven by the health monitoring settings (as is the 
health monitoring trap). See "Changing Threshold and Notification 
Properties" on page 52. 

□ The health check trap occurs if it is set up in the health check configuration. 
See Volume 5, Advanced Networking, Chapter 1: Verifying the Health of Services 
Configured on the ProxySG, "Configuring Health Check Notifications" on 
page 17. 

□ The policy trap goes off if there is policy to trigger it. See Volume 6: The Visual 
Policy Manager and Advanced Policy Tasks or Volume 10: Content Policy Language 
Guide. Many of the feature descriptions throughout the volumes also include 
information about setting policy. 

See Also 

□ "Configuring SNMP" on page 30 

□ "Changing Threshold and Notification Properties" on page 52 

□ "Configuring Community Strings for SNMPvl and SNMPv2c" 

□ "Configuring SNMP Traps for SNMPvl and SNMPv2c" 

□ "Configuring SNMP Users for SNMPv3" 

□ "Configuring SNMP Traps and Informs for SNMPv3" 

About Management Information Bases (MIBs) 

A Management Information Base (MIB) is a text file (written in the ASN.l data 
description language) that contains the description of a managed object. SNMP 
uses a specified set of commands and queries, and the MIBs contain information 
about these commands and the target objects. 

One of the many uses for MIBs is to monitor system variables to ensure that the 
system is performing adequately. For example, a specific MIB can monitor 
variables such as temperatures and voltages for system components and send 
traps when something goes above or below a set threshold. 

The Blue Coat MIB specifications adhere to RFC1155 (vl-SMI), RFC1902 (v2-SMI), 
RFC1903 (v2-TC), and RFC1904 (v2-CONF.) 



Note: Some common MIB types, such as 64-bit counters, are not supported by 
SNMPvl. We recommend using either SNMPv2c or, for best security. 



SNMPv3. 



Obtaining the MIB Files 

The ProxySG uses both public MIBs and Blue Coat proprietary MIBs. You can 
download the MIB files from the Blue Coat Web site. 
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To download the MIBs: 

1. Go to http:/ / download.bluecoat.com. 

2. Click the link for the SGOS version you have. The page displays for the 
software release you specified. 

3. In the right frame of the Web page, click SG 5.x MIBs. A file download dialog 
displays. 

4. Click Save to navigate to the location to save the zip file of MIBs. 



Note: To load the Blue Coat MIBs on an SNMP network manager, be sure to load 
the dependent MIBs, as well. Most commercial SNMP-based products load these 
MIBs when the software starts. 



Adding and Enabling an SNMP Service and SNMP Listeners 

There is one disabled SNMP listener defined by default on the ProxySG, which 
you can delete or enable, as needed. You can also add additional SNMP services 
and listeners. Although you can configure traps and informs to go out if all the 
SNMP listeners are deleted or disabled, configuring SNMP listeners sets up the 
UDP and TCP ports the ProxySG uses to listen for SNMP commands. The service 
ports set up for listening to SNMP requests are independent of the trap or inform 
addresses and ports specified for sending traps. 



Note: For information about editing or deleting SNMP services and listeners, see 
"Modifying SNMP Services and Listeners" on page 28. 



To add and enable an SNMP service and listeners: 

1. Select Configuration > Services > Management Services. The Management Services 
tab displays. 

2. Click Add. The New Service dialog displays. 
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3. Enter a name for the SNMP Service. 

4. In the Services drop-down list, select SNMP. 

5. Click New. The New Listener dialog displays. 




6. In the Destination addresses section, select All SG IP addresses or select IP Address 

and select a specific IP address in the drop-down list. 

7. Enter the port for this listener. 

8. Select Enabled to enable this listener. 

9. Click OK to close the New Listener dialog, then click OK again to close the New 
Service dialog. 

10. Click Apply. 

Related Syntax to Add SNMP Services 

# (config) management-services 

# (config management-services) create snmp service_name 
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Related Syntax to Add SNMP Listeners 

# (config) management-services 

# (config management-services) edit snmp service_name 
# (config snmp_service_name) add {all | proxy_ip port} 

All selects all IP addresses on the proxy. Alternatively, you can select a 
specific proxy's IP address. You must always choose a port. By default, the 
listener is enabled. 

See Also 

a "Modifying SNMP Services and Listeners" 

□ Chapter 3: About Proxy Services and Proxies in Volume 2, Proxies and Proxy 
Services 

Modifying SNMP Services and Listeners 

After you create and enable SNMP services and listeners, you can edit the settings 
and disable, enable, or delete them according to your current business needs. 

To edit an SNMP service and listeners: 

1. Select Configuration > Services > Management Services. The Management Services 
tab displays. 

2. Click Edit. The Edit Service dialog displays. 
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3. Select a listener in the list and click Edit. The Edit Listener dialog displays. 

4. Edit the listener settings as required, then click OK to close the Edit Listeners 
dialog. 

5. Click OK to close the Edit Service dialog, then click Apply. 

Related Syntax to Enable SNMP Listeners 

#(config) snmp 

#(config snmp) enable {all | proxy_ip port] 

Enable all SNMP listeners or a specific SNMP listener. 

Related Syntax to Disable SNMP Listeners 

#(config) snmp 

#(config snmp) disable {all | proxy_ip port} 

Disable all SNMP listeners or a specific SNMP listener. 

To delete an SNMP service: 

1. Select Configuration > Services > Management Services. The Management Services 
tab displays. 

2. Select the SNMP service to delete and click Delete. A dialog box prompts you 
to confirm the deletion. 

3. Click OK to delete the SNMP service, then click Apply. 

Related Syntax to Delete an SNMP Service 

#(config) management-services 

# (config management-services) delete service_name 
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To delete an SNMP listener: 

1. Select Configuration > Services > Management Services. The Management Services 
tab displays. 

2. Select an SNMP service in the list and click Edit. The Edit Service dialog 
displays. 

3. Select the listener to delete and click Delete. A dialog box prompts you for 
confirmation. 

4. Click OK to delete the listener, then click OK again to close the Edit Service 
dialog. 

5. Click Apply. 

Related Syntax to Delete an SNMP Listener 

# (config snmp_service_name) remove {all I proxy_ip port } 

Remove all SNMP listeners or a specific SNMP listener. 

See Also 

□ "Adding and Enabling an SNMP Service and SNMP Listeners" 

□ Chapter 3: About Proxy Services and Proxies in Volume 2, Proxies and Proxy 
Services 

Configuring SNMP 

After you add and enable at least one SNMP service, you are ready to configure 
SNMP communities and users and enable traps and informs. However, to enable 
the ProxySG to listen for SNMP commands, be sure to enable at least one SNMP 
listener. See "Adding and Enabling an SNMP Service and SNMP Listeners" on 
page 26. 

To configure SNMP: 

1. Select Maintenance > SNMP. 
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2. Set the SNMP protocols: 

a. By default, SNMPvl, SNMPv2, and SNMPv3 are all enabled. Select the 
specific versions that match the configuration of your SNMP manager. 

Note: Only SNMPv3 uses the Engine ID, which is required to be unique 
among SNMP agents and systems that are expected to work together. 

The Engine ID is set by default to a value that is derived from the 
ProxySG serial number and the Blue Coat SNMP enterprise code. This is 
a unique hexadecimal identifier that is associated with the ProxySG. It 
appears in each SNMP packet to identify the source of the packet. The 
configured bytes must not all be equal to zero or to OFFH (255). 



b. (Optional) If you reset the engine ID and want to return it to the 

default, click Set to Default. You do not need to reboot the system after 
making configuration changes to SNMP. 

3. Enable traps and informs, as required. 

a. Select Enable use of traps and informs to enable SNMP traps (for 
SNMPvl, SNMPv2c, and SNMPv3) or informs (for SNMPv2c and 
SNMPv3 only). 

b. Select Enable SNMP authentication failure traps to have an SNMP 
authentication failure trap sent when the SNMP protocol has an 
authentication failure. 
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Note: For SNMPvl and SNMPv2c, this happens when the community 
string in the SNMP packet is not correct (does not match one that is 
supported). For SNMPv3, this happens when the authentication hash of 
an SNMP packet is not correct for the specified user. 



c. To perform a test trap, click Perform test trap, enter the trap data (string) 
to be sent, and click Execute Trap. This sends a policy notification, as 
defined in the BLUECOAT-SG-POLICY-MIB, to all configured trap 
and inform recipients, and it is intended as a communications test. 

4. In the sysContact field, enter a string that identifies the person responsible for 
administering the appliance. 

5. In the sysLocation field, enter a string that describes the physical location of the 
appliance. 

6. Click Apply. 

Related Syntax to Configure SNMP 

#(config snmp) protocol snmpvl {disable | enable} 

#(config snmp) protocol snmpv2c {disable | enable} 

#(config snmp) protocol snmpv3 {disable | enable} 

#(config snmp) traps {disable | enable} 

# (config snmp) authentication-failure-traps {enable | disable} 

# (config snmp) test-trap string 
# (config snmp) sys-contact string 
# (config snmp) sys-location string 

See Also 

a "Adding and Enabling an SNMP Service and SNMP Listeners" 

□ "Configuring SNMP for SNMPvl and SNMPv2c" 

□ "Configuring SNMP Traps for SNMPvl and SNMPv2c" 

□ "Configuring SNMP for SNMPv3" 

a "Configuring SNMP Traps and Informs for SNMPv3" 

Configuring SNMP for SNMPvl and SNMPv2c 

Community strings are used for SNMPvl and SNMPv2c only. SNMPv3 replaces 
the use of a community string with the ability to define a set of users. See 
"Configuring SNMP for SNMPv3" on page 36. 

Configuring Community Strings for SNMPvl and SNMPv2c 

Community strings restrict access to SNMP data. After you define a community 
string, you set an authorization mode of either read or read-write to allow access 
using that community string. The mode none allows you to use a community 
string for traps and informs only. 
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To add a community string: 

1. Select Maintenance > SNMP > SNMPv1-v2c Communities. 



SNMP General SNMPvl-v2c Communities SMMPvl-v2c Traps | SNMPv3 Users J SNMPv3 Traps 

r SNMPvl and SNMPv2c Communities 




2. Click New. The Create Community dialog displays. 
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3. Enter the community string and select the authorization level (None, Read- 
only, or Read-write). 

4. To use all available source addresses, click OK and proceed to Step 4. 

5. To configure an access control list, select Enforce access control list for requests 
and click Edit ACL. The Source Addresses dialog displays. 

a. Click Add. The Add IP/Subnet dialog displays. 

b. Enter the IP/Subnet Prefix and the Subnet Mask, then click OK in all 
open dialogs until you return to the SNMPvl-v2c Communities tab. 

6. Click Apply. 

To edit a community string: 

1. Select Maintenance > SNMP > SNMPv1-v2c Communities. 

2. Select the community string to edit and click Edit. The Edit (community name) 
dialog displays. 

3. Edit the parameters as required, then click OK. 

4. Click Apply. 

Related Syntax to Add and Edit Community Strings 

# (config snmp) create community community_string 
# (config snmp) edit community commun±ty_string 
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See Also 

□ "Configuring SNMP" 

□ "Configuring SNMP for SNMPvl and SNMPv2c" 

□ "Configuring SNMP Users for SNMPv3" 

Configuring SNMP Traps for SNMPvl and SNMPv2c 

The ProxySG can send SNMP traps (for SNMPvl and SNMP v2c) and informs 
(for SNMPv2c) to a management station as they occur. Each SNMP notification is 
sent to all defined trap and inform receivers (of all protocols). You can also enable 
authorization traps to send notification of attempts to access the Management 
Console. 

If the system reboots for any reason, a cold start trap is sent. A warm start trap is 
sent if a you perform a software-only reboot without a hardware reset. No 
configuration is required. 

To add SNMP traps: 

1. Select Maintenance > SNMP > SNMP v1-v2c Traps. 

2. Click New. The Create Trap or Inform Receiver dialog displays. 




3. From the drop-down list, select a community string. 

4. Select the type of trap. The difference between a trap and an inform is that the 
SNMP manager that receives an inform request acknowledges the message 
with an SNMP response. No response is sent for regular traps. 

5. In the Receiver section, enter the IP address and port number. 

6. Click OK, then click Apply. 
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To edit a trap or inform: 

1. Select Maintenance > SNMP > SNMP v1-v2c Traps. 

2. Select a trap or inform in the list and click Edit. The Edit (trap name) Trap or 
Inform Receiver dialog displays. 

3. Edit the settings as desired and click OK. 

4. Click Apply. 



Related Syntax to Add SNMP Traps for SNMPvl and SNMPv2c 



# (config snmp community community_string) 

# (config snmp community community^string) 

# (config snmp community community^string) 

# (config snmp community community^string) 

IP [ -.port ] } 

# (config snmp community community^string ) add trap snmpv2c udp 
IP [ -.port] 



add { inform | trap } 
add inform udp IP [: port ] 
add trap { snmpvl | snmpv2c} 
add trap snmpvl udp 



See Also 

□ "About SNMP Traps and Informs" 

□ "Configuring SNMP" 

a "Configuring SNMP for SNMPvl and SNMPv2c" 
a "Configuring Community Strings for SNMPvl and SNMPv2c" 

□ "Configuring SNMP for SNMPv3" 

□ "Configuring SNMP Users for SNMPv3" 

□ "Configuring SNMP Traps and Informs for SNMPv3" 



Configuring SNMP for SNMPv3 

For SNMPv v3, you configure users instead of community strings. You then 
configure the traps and informs by user rather than by community string. 

About Passphrases and Localized Keys 

Although it is optional to use passphrases or localized keys, using one or the other 
provides the increased security of SNMPv3. For most deployments, passphrases 
provide adequate security. For environments in which there are increased 
security concerns, you have the option of setting localized keys instead of 
passphrases. In the configuration, if you set a passphrase, any localized keys are 
immediately deleted and only the passphrase remains. If you set a localized key, 
any passphrase is deleted and the localized key is used. 

If you need to use localized keys, you can enter one for the ProxySG and add keys 
for other specified Engine IDs. Since the ProxySG acts as an agent, its localized 
key is all that is needed to conduct all SNMP communications, with the single 
exception of SNMP informs. For informs, you need to provide the localized key 
that corresponds to each engine ID that is going to receive your informs. 
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Configuring SNMP Users for SNMPv3 

Before you can configure SNMPv3 traps and informs, you must set up users and 
their associated access control settings. When you set up users, you configure 
authentication and privacy settings, as required. 



Note: The enhanced security of SNMPv3 is based on each user having an 
authentication passphrase and a privacy passphrase. For environments in 
which there are increased security concerns, you have the option of setting up 
localized keys instead of passphrases. 

You can enable authentication without enabling privacy, however, you 
cannot enable privacy without enabling authentication. In an authentication- 
only scenario, a secure hash is done so the protocol can validate the integrity 
of the packet. Privacy adds the encryption of the packet data. 



To configure SNMP users: 

1. Select Maintenance > SNMP > SNMPv3 Users. 

2. Click New. The Create User dialog displays. 
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3. Enter the name of the user. 

4. Set up authentication. 

a. Select the authentication mode: MD5 (Message Digest Version 5) or SHA 
(Secure Hash Algorithm). 

b. Click Change Passphrase to set or change the authentication passphrase. 
If your environment requires a higher level of security you have the 
option of setting up localized keys instead of passphrases. See Step c. 

• Enter and confirm the passphrase, then click OK. 

c. (Optional) To set up localized keys for authentication instead of using 
an authentication passphrase, click Set Localized Keys. The Localized 
Keys dialog displays. When you set up localized keys, any password is 
deleted and the localized keys are used instead. 

• Click New. The Set Localized Key dialog displays. 

• If the Engine ID is Self, enter and confirm the localized key 
(hexadecimal), then click OK. 
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• To add additional localized keys, enter the Engine ID (hexadecimal) 
and the localized key, then click OK. 

5. Set up privacy 

a. To set up the privacy mode, select DES (Data Encryption Standard) or 
AES (Advanced Encryption Standard). 

b. Click Change Passphrase to set or change the privacy passphrase. If 
your environment requires a higher level of security, you have the 
option of setting up localized keys instead of passphrases. See Step c. 

• Enter and confirm the passphrase, then click OK. 

c. (Optional) To set up localized keys for privacy instead of using a 
privacy passphrase, click Set Localized Keys. The Localized Keys dialog 
displays. If you have set up a privacy passphrase, you will not be able 
to set up localized keys. 

• Click New. The Set Localized Key dialog displays. 

• If the Engine ID is Self, enter and confirm the localized key 
(hexadecimal), then click OK. 

• To add additional localized keys, enter the Engine ID (hexadecimal) 
and the localized key, then click OK. 

6. Select the Authorization mode for this user: None, Read-only, or Read-write. 

7. Click OK to close the Create User dialog. 

8. Click Apply. 

To edit a user: 

1. Select Maintenance > SNMP > SNMPv3 Users. 

2. Select the user to edit and click Edit. The Edit (user name) dialog displays. 

3. Edit the parameters as required, then click OK. 

4. Click Apply. 

Related Syntax to Add a User for SNMPv3 

#(config snmp) create user username 

Related Syntax to Edit a User for SNMPv3 

#(config snmp) edit user username 

This changes the prompt to: 

# (config snmp user username) 

For a complete list of the commands to edit an SNMPv3 user, see Chapter 3 
"Privileged Mode Commands" in Volume 11: Command Line Interface Reference. 



See Also 

□ "Configuring SNMP' 
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a "Configuring Community Strings for SNMPvl and SNMPv2c" 
a "Configuring SNMP Traps for SNMPvl and SNMPv2c" 
a "Configuring SNMP Traps and Informs for SNMPv3" 

Configuring SNMP Traps and Informs for SNMPv3 

Traps and informs are both available for SNMPv3. The difference between a trap 
and an inform is that the SNMP manager that receives an inform request 
acknowledges the message with an SNMP response; no response is sent for 
regular traps. 

To configure SNMP traps for SNMPv3: 

1. Select Maintenance > SNMP > SNMPv3 Traps. 

2. Click New. The Create Trap or Inform Receiver dialog displays. 




3. Select the user from the drop-down list. 

4. Select SNMPv3 Trap or SNMPv3 Inform. 

5. In the Receiver section, enter the IP address and port number. 

6. Click OK, then click Apply. 

To edit a trap or inform: 

1. Select Maintenance > SNMP > SNMPv3 Traps. 

2. Select a trap or inform in the list and click Edit. The Edit (trap name) Trap or 
Inform Receiver dialog displays. 

3. Edit the settings as desired and click OK. 

4. Click Apply. 
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Related Syntax to Add and Edit Traps and Informs for SNMPv3 

#(config snmp)edit user username 

This changes the prompt to: 

# (config snmp user username) 

#(config snmp user username ) add {inform | trap} 

# (config snmp user username) add inform udp IP[:port] 

# (config snmp user username) add trap udp IP[:port] 

For the full list of subcommands to edit traps and informs for SNMPv3 users, see 
Chapter 3 "Privileged Mode Commands" in Volume 11: Command Line Interface 
Reference. 

See Also 

a "About SNMP Traps and Informs" 
a "Configuring SNMP" 

□ "Configuring SNMP for SNMPvl and SNMPv2c" 

□ "Configuring SNMP Traps for SNMPvl and SNMPv2c" 
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Section E: Configuring Health Monitoring 

The health monitor records the aggregate health of the ProxySG, by tracking 
status information and statistics for select resources, and aids in focusing 
attention when a change in health state occurs. On the ProxySG, the health 
monitor tracks the status of key hardware components (such as the thermal 
sensors, and CPU use), and the health status for configured services (such as 
ADN). When the health monitor detects deviations in the normal operating 
conditions of the device, the health status changes. 

A change in health status does not always indicate a problem that requires 
corrective action; it indicates that a monitored metric has deviated from the 
normal operating parameters. The health monitor aids in focusing attention to the 
possible cause(s) for the change in health status. 

In Figure 2-1 below, the Health: monitor displays the overall health of the ProxySG 
in one of three states, OK, Warning, or Critical. Click the link to view the Statistics > 
Health Monitoring page, which lists the status of the system's health monitoring 
metrics. 




Figure 2-1 Health Monitor as displayed on the Management Console 

About Health Monitoring 

Health Monitoring allows you to set notification thresholds on various internal 

metrics that track the health of a monitored system or device. Each metric has a 

value and a state. 

The value is obtained by periodically measuring the monitored system or device. 

In some cases, the value is a percentage or a temperature measurement; in other 

cases, it is a status like "Disk Present" or "Awaiting Approval". 

The state indicates the condition of the monitored system or device: 

□ OK — The monitored system or device is behaving within normal operating 
parameters. 

□ — The monitored system or device is outside typical operating 
parameters and may require attention. 

□ CRITICAL — The monitored system or device is failing, or is far outside 
normal parameters, and requires immediate attention. 
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The current state of a metric is determined by the relationship between the value 
and its monitoring thresholds. The Warning and Critical states have thresholds, 
and each threshold has a corresponding interval. 

All metrics begin in the OK state. If the value crosses the Warning threshold and 
remains there for the threshold's specified interval, the metric transitions to the 
Warning state. Similarly, if the Critical threshold is exceeded for the specified 
interval, the metric transitions to the Critical state. Later (for example, if the 
problem is resolved), the value will drop back down below the Warning 
threshold. If the value stays below the Warning threshold longer than the 
specified interval, the state returns to OK. 

Every time the state changes, a notification occurs. If the value fluctuates above 
and below a threshold, no state change occurs until the value stays above or 
below the threshold for the specified interval of time. 

This behavior helps to ensure that unwarranted notifications are avoided when 
values vary widely without having any definite trend. You can experiment with 
the thresholds and intervals until you are comfortable with the sensitivity of the 
notification settings. 

Health Monitoring Example 

Figure 2-2 shows an example of health monitoring. Note that the graph is divided 
into horizontal bands associated with each of the three possible states. The lower 
horizontal line represents the Warning threshold and the upper horizontal line is 
the Critical threshold. The vertical bands represent 5 second time intervals. 

Assume both thresholds have intervals of 20 seconds, and that the metric is 
currently in the OK state. 

1. At time 0, the monitored value crosses the Warning threshold. No transition 
occurs yet. Later, at time 10, it crosses the critical threshold. Still, no state 
change occurs, because the threshold interval has not elapsed. 

2. At time 20, the value has been above the warning threshold for 20 seconds— 
the specified interval. The state of the metric now changes to Warning, and a 
notification is sent. Note that even though the metric is currently in the critical 
range, the State is still Warning, because the value has not exceeded the 
Critical threshold long enough to trigger a transition to Critical. 

3. At time 25, the value drops below the Critical threshold, having been above it 
for only 15 seconds. The state remains at Warning. 

4. At time 30, it drops below the Warning threshold. Again the state does not 
change. If the value remains below the warning threshold until time 50, then 
the state will change to OK. 

5. At time 50, the state transitions to OK. This transition occurs because the 
monitored value has remained below the Warning threshold for the 
configured interval of 20 seconds. 
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20 seconds above the Warning threshold a Warning notification is sent 




OK notification is sent 

Legend: 

^ ^ Configured threshold interval, 20 seconds 
O Threshold at which notification is sent 

- — — - Trend of the monitored value 

Figure 2-2 Relationship between the threshold value and threshold interval 

Health Monitoring Cycle 

The health monitoring process is a cycle that begins with the health state at OK. 
When the health monitor detects a change in the value of a monitored metric, the 
health state changes. The Health: indicator reflects the change in status. 



Note: A change in health status does not always indicate a problem that requires 
corrective action; it indicates that a monitored metric has deviated from the 
normal operating parameters. 



The Health: indicator is always visible in the Management Console, and the color 
and text reflect the most severe health state for all metrics — red for Critical, yellow 
for Warning, and green for OK. In the Health Monitoring > Statistics panel, the tabs for 
General, License, and Status metrics change color to reflect the most severe state of 
the metrics they contain. You might click the tabs to view the problem and assess 
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the information. Based on the cause for the alert, the administrator might take 
diagnostic action or redefine the "normal" operating parameters for the metric 
and restore the health state of the ProxySG. 

For example, if the revolutions per minute for Fan 1 Speed falls below the warning 
threshold, the appliance's health transitions to Warning. Since Fan 1 Speed is a 
metric in the status tab, the Statistics > Health Monitoring > Status tab turns yellow. 

By clicking the Health: link and navigating to the yellow tab, you can view the 
alert. You might then examine the fan to determine whether it needs to be 
replaced (due to wear and tear) or if something is obstructing its movement. 

To facilitate prompt attention for a change in the health state, you can configure 
notifications on the appliance. 

Planning Considerations for Using Health Monitoring 

The health monitor indicates whether the ProxySG is operating within the default 
parameters set on the appliance. Blue Coat recommends that you review these 
settings and adjust them to reflect the normal operating parameters for your 
environment. You can configure: 

□ Thresholds, to define what measurements generate warnings or critical alerts. 
See "Changing Threshold and Notification Properties" on page 52. 

□ Time intervals, that determine whether a threshold has been crossed and 
whether an alert should be sent. See "Changing Threshold and Notification 
Properties" on page 52. 

□ The means by which alerts are delivered, any combination of e-mail, SNMP 
trap, event log, or none. See "Setting Up Event Logging and Notification" on 
page 17 for more information. 

About the Health Monitoring Metric Types 

The ProxySG monitors the status of the following metrics: 

□ Hardware — Disk, Voltage, Temperature, Fan speed. Power supply 

□ System Resources — CPU, Memory, and Network usage 

□ ADN Status 

□ License Expiration and Utilization 

□ Health Check Status — health status of external services used by the appliance 

These health monitoring metrics are grouped as General, Licensing, or Status 
metrics. 

The system resources and licensing thresholds are user-configurable, meaning 
that you can specify the threshold levels that will trigger an alert. 

The hardware and ADN status metrics are not configurable and are preset to 
optimal values. For example, on some platforms, a Warning is triggered when the 
CPU temperature reaches 55 degrees Celsius. 
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The health check status metric is also not configurable. It takes into account the 
most acute value amongst the configured health checks and the severity 
component for each health check. 

Severity of a health check indicates how the value of a failed health check affects 
the overall health of the ProxySG, as indicated by the health monitor. 

If, for example, three health checks are configured on the ProxySG: 

□ dns .192.0.2.4 with severity No-effect 

□ fwd. test with severity Warning 

□ auth . service with severity Critical 

The value of the health check status metric adjusts in accordance with the success 
or failure of each health check and its configured severity as shown below: 

If all three health checks report healthy, the health check status metric is OK. 

If dns .192.0.2.4 reports unhealthy, the health check status remains OK. The 
health check status metric does not change because its severity is set to no-effect. 

If fwd. test reports unhealthy, the health check status transitions to Warning. This 
transition occurs because the severity for this health check is set to warning. 

If auth. service reports unhealthy, the health check status becomes Critical 
because its severity is set to critical. 

Subsequently, even if fwd. test reports healthy, the health check status remains 
critical as auth . service reports unhealthy. 

The health check status will transition to OK only if both fwd . test and 
auth . service report healthy. 



Table 2-2 Health Check Status Metric — Combines the Health Check Result and the Severity Option 



Configured 
Health Checks 


Reporting as... 


dns. 192. 0.2. 4 

severity: no-effect 


Healthy 


Unhealthy 


Unhealthy 


Healthy 


Healthy 


Healthy 


Healthy 


fwd. test 

severity: warning 


Healthy 


Healthy 


Unhealthy 


Unhealthy 


Unhealthy 


Healthy 


Healthy 


auth . service 

severity: critical 


Healthy 


Healthy 


Healthy 


Healthy 


Unhealthy 


Unhealthy 


Healthy 


Health Check 
Status 


OK 


OK 


Warning 


Warning 


Critical 


Critical 


OK 



You can configure the default Severity for all health checks in the Configuration > 
Health Checks > General > Default Notifications tab. For more information on 
configuring the severity option for health checks, refer to Volume 5: Advanced 
Networking. 
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About the General Metrics 

The following table lists the metrics displayed in the Maintenance > Health 
Monitoring > General page. The thresholds and intervals for these metrics are user- 
configurable. 

To view the statistics on CPU utilization and memory utilization on the ProxySG, 
see "Viewing System Statistics" on page 103. 

To view the statistics on interface utilization, refer to Chapter 10 in Volume 1: 
Getting Started. 



Table 2-3 General Health Monitoring Metrics 



Metric 


Default Values 


Notes 




Critical Threshold / 
Interval 


Warning Threshold / 
Interval 




CPU Utilization 


95% / 120 seconds 


80% / 120 seconds 


Measures the value of the 
primary CPU on multi- 
processor systems — not 
the average of all CPU 
activity. 


Memory 

Utilization 


95% / 120 seconds 


90% / 120 seconds 


Measures memory use 
and tracks when memory 
resources become limited, 
causing new connections 
to be delayed. 


Interface 

Utilization 


90% / 120 seconds 


60% / 120 seconds 


Measures the traffic (in 
and out) on the interface 
to determine if it is 
approaching the 
maximum capacity, 
(bandwidth maximum) 



See Also: 

□ "Changing Threshold and Notification Properties" on page 52 

□ "Snapshot of the Default Threshold Values and States" on page 50 

□ "Health Monitoring Cycle" on page 44 

□ "Health Monitoring Example" on page 43 

About the Licensing Metrics 

The following table lists the metrics displayed in the Maintenance > Health 
Monitoring > Licensing page. On the license page, you can monitor the utilization of 
user-limited licenses and the expiration of time-limited licenses. Licenses that do 
not expire or do not have a user limit are not displayed because there is no need to 
monitor them for a change in state that could affect the ProxySG appliance's 
health. 
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About License Expiration Metrics 

The threshold values for license expiration metrics are set in days until expiration. 
In this context, a critical threshold indicates that license expiration is imminent. 
Thus, the Critical threshold value should be smaller than the Warning threshold 
value. For example, if you set the Warning threshold to 45, an alert is sent when 
there are 45 days remaining in the license period. The Critical threshold would be 
less than 45 days, for example 5 days. 

For license expiration metrics, the threshold interval is irrelevant and is set to 0. 



Note: For new ProxySG appliances running SGOS 5.3, the default Warning 
threshold for license expiration is 15 days. 

For ProxySG appliances upgrading from earlier versions to SGOS 5.3, the default 
Warning threshold remains at the same value prior to the upgrade. For example, 
if the Warning threshold was 30 days prior to the upgrade, the Warning threshold 
will remain at 30 days after the upgrade. 

Refer to the most current Release Notes for SGOS upgrade information. 



Table 2-4 Licensing Health Monitoring Metrics 



Metric 


Default Values 


Notes 




Critical Threshold / 
Interval 


Warning Threshold / 
Interval 




License 

Utilization 


90% / 120 seconds 


80% / 120 seconds 


Monitors the number of 
users using the ProxySG. 


License 

Expiration 


0 days / 0 


15 days / 0 

(For new ProxySG 
appliances running SGOS 
5.3, see note above) 


Warns of impending 
license expiration. 


30 days / 0 

(For non-new ProxySG 
appliances upgrading 
from earlier versions of 
the SGOS) 



About the Status Metrics 

The following table lists the metrics displayed in the Maintenance > Health 
Monitoring > Status page. The thresholds for these metrics are not user- 
configurable. 
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Table 2-5 Status Health Monitoring Metrics 



Metric 


Threshold States and 
Corresponding Values 


Disk Status 


Critical: 

Bad 

Warning: 

Removed 

Offline 

OK: 

Not Present 
Present 


Temperature — Motherboard and CPU 


Threshold states and values vary by 
ProxySG models 


Fan Speed 


Threshold states and values vary by 
ProxySG models 


Voltage — Bus Voltage, CPU Voltage, Power 


Threshold states and values vary by 


Supply Voltage 


ProxySG models 


ADN Connection Status 


OK: 

Connected 

Connecting 

Connection Approved 

Disabled 

Not Operational 

Warning: 

Approval Pending 
Mismatching Approval Status 
Partially Connected 
Critical: 

Disconnected 
Connection Denied 

See Volume 5: Advanced 
Netzvorking for more information 
about the ADN metrics. 


ADN Manager Status 


OK: 

Not a Manager 
No Approvals Pending 

Warning: 

Approvals Pending 
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Table 2-5 Status Health Monitoring Metrics (Continued) 



Health Check Status 


OK: 




No health checks with 




Severity: Warning or Critical are 
failing. A health check with Severity: 
No-effect might be failing. 




Warning: 

One or more health checks with 
Severity: Warning has failed. 
Critical: 

One or more health checks with 
Severity: Critical has failed. 



Snapshot of the Default Threshold Values and States 

See the table below for a quick glance at the health states and their corresponding 
threshold values: 

Table 2-6 Health States and the Default Values for the Health Monitoring Metrics 



General 


Health States and Corresponding Default Values 


Metric 






Critical 


CPU Utilization 


less than 80% 


80% 


95% 


Memory Utilization 


less than 90% 


90% 


95% 


Interface Utilization 


less than 60% 


60% 


90% 




Licensing 


States and Corresponding Values 


Metric 






Critical 


License Utilization 


less than 80% 


80% 


90% 


License Expiration 


more than 15 days* 
more than 30 days ** 


15 days* 
30 days** 


0 days 
0 days 



*For new ProxySG appliances running SGOS 5.3 

** For non-new ProxySG appliances upgrading from earlier versions of the SGOS 



Status 


States and Corresponding Values 


Metric 






Critical 


Disk status 


Present/ Not Present 


Removed 


Error 


Temperature 


Vary by ProxySG models 


Fan Speed 


Vary by ProxySG models 


Voltage 


Vary by ProxySG models 
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Status 


States and Corresponding Values 


ADN Connection Status 


Connected 

Connecting 

Connection Approved 

Disabled 

Not Operational 


Approval 
Pending 
Mismatching 
Approval Status 

Partially 

Connected 


Disconnected 

Connection 

Denied 


ADN Manager 


Not a Manager 
No Approvals Pending 


Approval 

Pending 




Health Check Status 


No health checks with 
Severity: Warning or 
Critical are failing. 

A health check with 
Severity: No-effect might 
be failing. 


One or more 
health checks 
with Severity: 
Warning has 
failed. 


One or more 
health checks 
with 

Severity: Critical 
has failed. 



51 



Volume 9: Managing the Blue Coat ProxySG Appliance 



Section E: Configuring Health Monitoring 

Changing Threshold and Notification Properties 

You can change the thresholds for the metrics in the General and Licensing tab to 
suit your network requirements. For the defaults, see "About the Health 
Monitoring Metric Types" on page 45. 

For health monitoring notifications, by default, all alerts are written to the event 
log. Any combination of the following types of notification can be set: 

□ Log: Inserts an entry into the Event log. See "Setting Up Event Logging and 
Notification" on page 17 for more information. 

□ SNMP trap: Sends an SNMP trap to all configured management stations. See 
Section D: "Configuring SNMP" on page 23 for more information 

□ E-mail: Sends e-mail to all persons listed in the Event log properties. 

Use the following procedure to modify the current settings. 

To change the threshold and notification properties: 

1. Select Maintenance > Health Monitoring. 

2. Select the tab for the metric you wish to modify. 

• To change the system resource metrics, select General. 

• To change the hardware, ADN status and health check status metrics, 
select Status. 

• To change the licensing metrics, select Licensing. 

3. Click Edit to modify the threshold and notification settings. The Edit Health 
Monitor Setting dialog displays. Hardware, health check, and ADN thresholds 
cannot be modified. 
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4. Modify the threshold values: 

a. To change the critical threshold, enter a new value in the Critical 
Threshold field. 

b. To change the critical interval, enter a new value in the Critical Interval 
field. 

c. To change the warning threshold, enter a new value in the Warning 
Threshold field. 

d. To change the warning interval, enter a new value in the Warning 
Interval field. 

5. Modify the notification settings. 

• Log adds an entry to the Event log. 

• Trap sends an SNMP trap to all configured management stations. 

• Email sends an e-mail to the addresses listed in the Event log properties. 
See "Setting Up Event Logging and Notification" on page 17 for more 
information. 

6. Click OK to close the Edit Metric dialog. 

7. Click Apply. 

Related CLI Syntax to Modify Threshold and Notification Properties 

# (config) alert threshold cpu-utilization warning_threshold 

warning_interval critical_threshold critical_interval 

# (config) alert threshold license-utilization users warning_threshold 

warning_interval critical_threshold critical_interval 

# (config) alert threshold license-expiration {sgos | ssl} 

warning_threshold cri tical_threshold 
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# (config) alert threshold memory-utilization warning_threshold 
warning_interval critical_threshold critical_interval 
# (config) alert threshold network-utilization adapter : inter face 
warning_threshold warning_interval critical_threshold 
critical interval 

# (config) alert notification adn {connection | manager } {email | log | 
trap | none } 

# (config) alert notification cpu-utilization {email | log | trap | 
none} 

# (config) alert notification disk-status {email | log | trap | none} 

# (config) alert notification health-check {email | log | trap | none} 
# (config) alert notification license-utilization users {email | log | 
trap | none } 

# (config) alert notification license-expiration { sgos | ssl} {email | 
log | trap | none} 

# (config) alert notification memory-utilization {email | log | trap | 
none} 



# (config) alert notification 
{email | log | trap | none} 

# (config) alert notification 
# (config) alert notification 
none} 

# (config) alert notification 
none} 



# (config) alert notification 



network-utilization adapter: interface 

sensor fan {email | log | trap | none} 
sensor power- supply {email | log | trap | 

sensor temperature {email | log | trap | 

sensor voltage {email | log | trap | none} 



Viewing Health Monitoring Statistics 

While the Health: indicator presents a quick view of the appliance's health, the 
Statistics > Health Monitoring page provides more information about the current 
state of the health monitoring metrics. 

To review the health monitoring statistics: 

1. From the Management Console, select Statistics > Health Monitoring. 
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Statistics 



Health: Warning 



General Status 



Metric 


Value 


State 


Disk 1 Status 


present 


OK 


Motherboard temperature 


31.4 degrees C 


OK 


CPU temperature 


32.4 degrees C 


OK 


ADN Connection Status 


Partially connected 


Warning 


ADN Manager Status 


No approvals pending 


OK 


Health Check Status 


OK 


OK 



Set thresholds... 



View 



Help 



2. Select a health monitoring statistics tab: 



• General: Lists the current state of CPU utilization, interface utilization, 
memory utilization. 

• Licensing: Lists the current state of license utilization and license 
expiration. 

• Status: Lists the current state of ADN status, hardware (including disk 
status, temperature, fan speed, power supply) and health check status. 

3. To get more details about a metric, highlight the metric and click View. The 

View Metrics Detail dialog displays. 
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4. Click Close to close the View Metrics Detail dialog. 

5. Optional — To modify a metric, highlight the metric and click Set Thresholds. 
The Maintenance > Health Monitoring page displays. To modify the metric, follow 
the procedure describe in "Changing Threshold and Notification Properties" 
on page 52. 

Related CLI Syntax to View Health Monitoring Statistics 

SGOS# (config) show system- resource-metrics 

The show system-resource-metrics command lists the state of the current system 
resource metrics. 



Interpreting Health Monitoring Alerts 

If you need assistance with interpreting the health monitoring alerts you receive, 

please contact Blue Coat Technical Support. For non-technical questions such as 

licensing or entitlements, contact Blue Coat Support Services. 

Blue Coat recommends the following guidelines to meet your support needs: 

1. Try Blue Coat Systems' self-help knowledge base at 
http:/ / www.bluecoat.com/ support/instantsupport 

2. If your request is non-urgent, open a Service Request using our Web Power 
customer support portal at http:/ /www.bluecoat.com/ support/webpower 

3. If your request is urgent, give us a call. The contact details and service hours 
are listed at http:/ /www.bluecoat.com/support/contactsupport 



Table 2-7 Technical Support and Support Services Contact Information 



Blue Coat Technical Support 


http: / /www.bluecoat.com/ support/ contactsupport 


Blue Coat Support Services 


Email: support.services@bluecoat.com 
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See Also: 

□ "About Health Monitoring" on page 42 

□ "Planning Considerations for Using Health Monitoring" on page 45 

□ "About the Health Monitoring Metric Types" on page 45 

□ "About License Expiration Metrics" on page 48 

□ "Snapshot of the Default Threshold Values and States" on page 50 

□ "Changing Threshold and Notification Properties" on page 52 

□ "Setting Up Event Logging and Notification" on page 17 

□ "Viewing Health Monitoring Statistics" on page 54 

□ "Interpreting Health Monitoring Alerts" on page 56 

□ "Health Monitoring Example" on page 43 

□ "Health Monitoring Cycle" on page 44 
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This chapter describes how to maintain the ProxySG; for example, restarting 
the appliance, restoring system defaults, upgrading the appliance, and 
reinitializing disks. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "Restarting the ProxySG" on page 59 

□ "Restoring System Defaults" on page 60 

□ "Clearing the DNS Cache" on page 63 

□ "Clearing the Object Cache" on page 63 

□ "Clearing the Byte Cache" on page 63 

□ "Clearing Trend Statistics" on page 64 

□ "Upgrading the ProxySG" on page 64 

□ "Managing ProxySG Systems" on page 67 

□ "Disk Reinitiali z ation" on page 70 

□ "Deleting Objects from the ProxySG Appliance" on page 72 

Restarting the ProxySG 

The restart options control the restart attributes of the ProxySG if a restart is 
required because of a system fault. 



Important: The default settings of the Restart option suits most systems. 

Changing them without assistance from Blue Coat Systems Technical Support 
is not recommended. 



Hardware and Software Restart Options 

The Restart settings determine if the ProxySG does a faster software-only 
restart, or a more comprehensive hardware and software restart. The latter can 
take several minutes longer, depending upon the amount of memory and 
number of disk drives in the appliance. 

The default setting of Software only suits most situations. Restarting both the 
hardware and software is recommended in situations where a hardware fault is 
suspected. 

For information about the Core Image settings, see "Core Image Restart 
Options" on page 87. 
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Note: If you change restart option settings and you want them to apply to the 
next ProxySG restart, click Apply. 



To restart the ProxySG appliance: 

1. Select Maintenance > System and disks > Tasks. 




2. In the Restart field, select either Software only or Hardware and software. 

3. If you select the Hardware and software option, select a system from the System to 
run drop-down list. 

The default system is pre-selected. 

4. Click Apply. 

5. Click Restart now. 

6. Click OK to confirm and restart the ProxySG. 

Related CLI Syntax to Configure the Hardware/Software Restart Settings 

SGOS# (config) restart mode {hardware | software} 

SGOS# restart abrupt 
SGOS# restart regular 
SGOS# restart upgrade 

Restoring System Defaults 

SGOS allows you to restore some or all of the system defaults. Use these 
commands with caution. The restore-defaults command deletes most, but not 
all, system defaults: 

□ The restore-defaults command with the factory-defaults option 

reinitializes the ProxySG to the original settings it had when it was shipped 
from the factory. 
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□ The restore-defaults command with the keep-console option allows you to 
restore default settings without losing all IP addresses on the system. 

Restore-Defaults 

Settings that are deleted when you use the restore-defaults command include: 

□ All IP addresses (these must be restored before you can access the 
Management Console again). 

□ DNS server addresses (these must be restored through the CLI before you can 
access the Management Console again). 

□ Installable lists. 

□ All customized configurations. 

□ Third-party vendor licenses, such as SmartFilter or Websense. If you use the 
restore-defaults command after you have installed licenses, and the serial 
number of your system is configurable (older boxes only), the licenses fails to 
install and the ProxySG returns to the trial period (if any time is left). To 
correct the problem, you must configure your serial number and install your 
license-key again. 

□ Blue Coat trusted certificates. 

□ Original SSH (vl and v2) host keys (new host keys are regenerated). 

You can use the force option to restore defaults without confirmation. 

Factory-Defaults 

All system settings are deleted when you use the restore-defaults command 
with the factory-defaults option. 

The only settings that are kept when you use the restore-defaults command 
with the factory-defaults option are: 

□ Trial period information. 

□ The last five installed appliance systems, from which you can pick one for 
rebooting. 

The Setup Console password is also deleted if you use restore-defaults 
factory-defaults. For information on the Setup Console password, refer to 
Volume 4: Securing the Blue Coat ProxySG Appliance. 

You can use the force option to restore defaults without confirmation. 

Keep-Console 

Settings that are retained when you use the restore-defaults command with the 
keep-console option include: 

□ IP interface settings, including VLAN configuration. 

□ Default gateway and static routing configuration. 

□ Virtual IP address configuration. 
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□ Bridging settings. 

□ Failover group settings. 

Using the keep-console option retains the settings for all consoles (Telnet, SSH, 
HTTP, and HTTPS), whether they are enabled, disabled, or deleted. 
Administrative access settings retained using the restore-defaults command 
with the keep-console option include: 

□ Console username and password. 

□ Front panel pin number. 

□ Console enable password. 

□ SSH (vl and v2) host keys. 

□ Keyrings used by secure console services. 

□ RIP configurations. 

You can also use the force option to restore defaults without confirmation. 

To restore system defaults: 



Note: The keep-console and factory-defaults options are not available through 
the Management Console. 



1. Select Maintenance > System and disks > Tasks. 




2. From the Tasks field, click Restore the configuration to defaults. If you restore the 
configuration from the Management Console, most settings are lost because 
you cannot use the keep-console option. 

The Restore Configuration dialog appears. 

3. Click OK. 

Related CLI Syntax to Restore System Defaults 

SGOS# restore-defaults [keep-console] 
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SGOS# restore-defaults [keep-console] force 
SGOS# restore-defaults factory-defaults 

Clearing the DNS Cache 

You can clear the DNS cache at any time. You might need to do so if you have 
experienced a problem with your DNS server or if you have changed your DNS 
configuration. 

To clear the DNS cache: 

1. Select Maintenance > System and disks > Tasks. 

2. In the Tasks field, click Clear next to the DNS cache. 

3. Click OK to confirm in the Clear System DNS Cache dialog that displays. 

Related CLI Syntax to Clear the DNS Cache 

SGOS# clear-cache dns-cache 

Clearing the Object Cache 

You can clear the object cache at any time. 

When you clear the cache, all objects in the cache are set to expired. The objects are 
not immediately removed from memory or disk, but a subsequent request for any 
object requested is retrieved from the source before it is served. 

To clear the object cache: 

1. Select Maintenance > System and disks > Tasks. 

2. In the Tasks field, click Clear next to the object cache. 

3. Click OK to confirm in the Clear Cache dialog that displays. 

Related CLI Syntax to Clear the Object Cache 

SGOS# clear-cache object-cache 

Clearing the Byte Cache 

You can clear the byte cache at any time. You might want to do this for testing 
purposes. 

To clear the byte cache: 

1. Select Maintenance > System and disks > Tasks. 

2. In the Tasks field, click Clear next to the byte cache. 

3. Click OK to confirm in the Clear Byte Cache dialog that displays. 

Related CLI Syntax to Clear the Byte Cache 

SGOS# clear-cache byte-cache 
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Troubleshooting Tip 

Occasionally, the Management Console might behave incorrectly because of 
browser caching, particularly if the browser was used to run different versions of 
the Management Console. This problem might be resolved by clearing the 
browser cache. 

Clearing Trend Statistics 

You can clear all trend statistics at any time. 

To clear all trend statistics: 

1. Select Maintenance > System and disks > Tasks. 

2. In the Tasks field, click Clear next to the trend statistics. 

3. Click OK to confirm in the Clear Trend Statistics dialog that appears. 

Related CLI Syntax to Clear Trend Statistics 

SGOS# clear-statistics persistent 

Upgrading the ProxySG 

When an upgrade to the SGOS software becomes available, you can download it 
through the Internet and install it. You can also download it to your PC and install 
it from there if the ProxySG does not have Internet access. 

Using SGOS Signed System Images 

You can use either an unsigned system image or a signed system image when 
upgrading the ProxySG from SGOS 5.3 or higher. No configuration is required. 



Note: Only unsigned images were available prior to SGOS 5.3. This section 
discusses signed system images, available in SGOS 5.3 and higher. 



A signed system image is one that is cryptographically signed with a key known 
only to Blue Coat, and the signature is verified when the image is downloaded to 
the system. The integrity of the Blue Coat ProxySG depends upon the appliance 
running only SGOS code; a signed system image prevents an attacker from 
modifying a valid system image. 



Note: The first and most important security measure for a ProxySG is to restrict 
physical access to authorized individuals only. 



By convention, a signed system image has a . bcsi extension, as compared to an 
unsigned system image that has a . chk extension. Note, however, that since the 
signature is embedded in the image, renaming an unsigned image with a . bcsi 
extension does not change the fact that it is unsigned. 

For maximum security, you can prevent unsigned system images from being 
downloaded through either the Management Console and the CLI. 
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Upgrading the ProxySG Appliance 

The appliance must be running version SGOS 4.2.3.x or later to upgrade to SGOS 
5.x. You cannot directly upgrade from any previous version. If you are upgrading 
from a version prior to SGOS 5.3.x and want to use signed images, you must 
install an unsigned SGOS 5.3 image before you can install a signed image. SGOS 
versions prior to SGOS 5.3.x do not recognize signed images. 



Note: At least one other system must be unlocked to do the upgrade. If all 
systems are locked, or all systems except the running system are locked, the 
Download button in the Management Console is disabled. Similarly, the load 
upgrade command in the CLI generates an error. 



To upgrade the ProxySG appliance: 

1. Select Maintenance > Upgrade > Upgrade. 



Upgrade Systems 

Download new system software from this URL: 



http://buildarchive.bluecoat.com/builds/scorpius_legacy.3131 4/wdir/2xx . Download 



Replace: 



oldest unlocked system 



|~| Enforce installation of signed images 



r Upgrade actions 



Show me the SG Appliance systems available for download. 



Upload the system image from local file. 



Restart the default system. 



2. (Optional) To prevent unsigned system images from being downloaded on 
this system, select the Enforce installation of signed images option. (This option is 
only available when an SGOS 5.3 or higher image is on the system.) 



3. Click Show me to connect to the Blue Coat download page; follow the 
instructions and note the URL of the SGOS system upgrade for your 
model.Then enter the URL in the Download new system software from this URL 
field and click Download. 



-or- 

(Only if you previously downloaded a system image to your PC) Click Upload 
and Browse to the file location, then click Install. The upload might take several 
minutes. 
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BlueQCoat 



Management Console 



Upload and Install File 

Upload and Install the System Image 

1. Paste the file path into the bon below or choose a file 
by clicking the Browse... button and opening the file. 

2. Click Install to upload and install the new file. It can 
take some time for the upload to complete. Your 
browser may be unresponsive during the upload. 

3. Once the installation is completed the results will be 
displayed in a new page. Close the results page once 
you have finished viewing the results. 

File to upload: 



:uments and Settings^Desktop\2xx.CHK_dbg | Browse 



1 Install ] 



Close 



4. (Optional) Select the system to replace in the Replace drop-down list. If you 
uploaded an image from your PC, refresh the Systems pane to see the new 
system image. 

5. Click Restart. 



The Restart system dialog displays. 



Restart system 



- Restart system 

ARE YOU SURE YOU WANT TO RESTART THE SYSTEM? 
Press "OK" to initiate the restart sequence. 



[ OK | [ Cancel j 

6. Click OK to reboot the ProxySG appliance to the default system. 

Related CLI Syntax to Upgrade the SGOS Software 

□ To allow only signed system images on this system (optional): 

SGOS# (config) installed-systems 

SGOS# (config installed-systems) enf orce-signed enable 

Note: For more information on signed system images, see "Using SGOS 
Signed System Images" on page 64. 
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□ To identity the location where the system image is located: 

SGOS# (config) upgrade-path url 

where url is the location of the SGOS upgrade image. Note that if you 
previously downloaded an image and the path has not changed, you do 
not need to set the upgrade path again. 

SGOS# (config) exit 

□ To upload the image: 

SGOS# load upgrade [ ignore -warnings ] 

where ignore-warnings forces the installation to occur even if warnings 
exist. 

SGOS# restart upgrade 

Troubleshooting Tip 

If the ProxySG does not come up after rebooting and the serial port is connected 
to a terminal server (terminal concentrator), try the following: 

□ Have an active session open on the terminal server, noting any traffic 
(characters) being output. 

□ Unplug the terminal server from the appliance in case it is causing a problem 
(such as bad cabling). 

Managing ProxySG Systems 

The ProxySG Systems tab displays the five available systems. Empty systems are 
indicated by the word Empty. 

The system currently running is highlighted in blue and cannot be replaced or 
deleted. 

From this screen, you can: 

□ Select the SGOS system version to boot. 

□ Lock one or more of the available SGOS system versions. 

□ Select the SGOS system version to be replaced. 

□ Delete one or more of the available SGOS system versions (CLI only). 

□ View details of the available SGOS system versions. 

To view SGOS system replacement options: 

Select Maintenance > Upgrade > Systems. 
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Upgrade Systems 

- ProxySG Appliance Systems 



System Version Lock Replace Default 



SGOS 4.1. 3.1, Release ID: 23960 


0 


□ 


o 


Details 












SGOS 96.99.99.99, Release ID: 23996 Debs 


□ 


□ 


o 


Details 












SGOS 4.2.0. 7, Release ID: 241 1 9 Debug 


□ 


□ 


o 


Details 












| SGOS 4.2.0. 7, Release ID: 24130 Debug 


□ 




® 


Details 












Empty 




□ 




Details 



To view details for an SGOS system version: 

1. Select Maintenance > Upgrade > Systems. 

2. Click Details next to the system for which you want to view detailed 
information; click OK when you are finished. 



System Information 



r Detailed System Information 



1 



Version: SGOS 4. 1.3.1, Release ID: 239S0 

Creation date: Wednesday November 2 2005 10:23:53 UTC 

Boot Status: Last boot succeeded 

Last Successful Boot: Wednesday November 2 2005 20:31:53 UTC 



I 0K I 

To view details for an SGOS system version: 

At the command prompt: 

SGOS> show installed-systems 



Example Session 



SGOS> show installed-systems 

ProxySG Appliance Systems 

1. Version: SGOS 4. 2. 1.1, Release ID: 25460 

Thursday April 6 2006 08:49:55 UTC, Lock Status: Locked 

Boot Status: Last boot succeeded. Last Successful Boot: Thursday 

April 6 2006 17:33:19 UTC 

2. Version: SGOS 4. 2. 1.1, Release ID: 25552 Debug 
Friday April 14 2006 08:56:55 UTC, Lock Status: Unlocked 

Boot Status: Last boot succeeded. Last Successful Boot: Friday April 



14 2006 16:57:18 UTC 

3. Version: N/A, Release ID: 
No Timestamp, Lock Status: 
Boot Status: Unknown, Last 

4. Version: N/A, Release ID: 
No Timestamp, Lock Status: 
Boot Status: Unknown, Last 

5. Version: N/A, Release ID: 



N/A ( EMPTY ) 
Unlocked 
Successful Boot: 
N/A ( EMPTY ) 
Unlocked 
Successful Boot: 
N/A ( EMPTY ) 



Unknown 



Unknown 
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No Timestamp, Lock Status: Unlocked 

Boot Status: Unknown, Last Successful Boot: Unknown 
Default system to run on next hardware restart: 2 
Default replacement being used, (oldest unlocked system) 

Current running system: 2 

When a new system is loaded, only the system number that was replaced 
is changed. 

The ordering of the rest of the systems remains unchanged. 

Setting the Default Boot System 

This setting allows you to select the system to be booted on the next hardware 
restart. If a system starts successfully, it is set as the default boot system. If a 
system fails to boot, the next most recent system that booted successfully becomes 
the default boot system. 

To set the ProxySG appliance to run on the next hardware restart: 

1. Select Maintenance > Upgrade > Systems. 

2. Select the preferred System version in the Default column. 

3. Click Apply. 



Note: An empty system cannot be specified as default, and only one system can 
be specified as the default system. 



Related CLI Syntax to Set the Default Boot System 

SGOS# (config) installed-systems 

SGOS# (config installed-systems) default system_number 

Locking and Unlocking ProxySG Systems 

Any system can be locked, except a system that has been selected for replacement. 
If all systems, or all systems except the current system, are locked, the ProxySG 
cannot load a new system. 

If a system is locked, it cannot be replaced or deleted. 

To lock a system: 

1. Select Maintenance > Upgrade > Systems. 

2. Select the system(s) to lock in the Lock column. 

3. Click Apply. 

To unlock a system: 

1. Select Maintenance > Upgrade > Systems. 

2. Deselect the system(s) to unlock in the Lock column. 

3. Click Apply. 
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Related CLI Syntax for Locking A System 

SGOS# (config) installed-systems 

SGOS# (config installed-systems) lock system_number 

To unlock: 

SGOS# (config) installed-systems 

SGOS# (config installed-systems) no lock system_number 

Replacing a ProxySG System 

You can specify the system to be replaced when a new system is downloaded. If 
no system is specified, the oldest unlocked system is replaced by default. You 
cannot specify a locked system for replacement. 

To specify the system to replace: 

1. Select Maintenance > Upgrade > Systems. 

2. Select the system to replace in the Replace column. 

3. Click Apply. 

Related CLI Syntax to Specify the System to Replace 

SGOS# (config) installed-systems 

SGOS# (config installed-systems) replace system_number 

Deleting a ProxySG System 

You can delete any of the system versions except the current running system. A 
locked system must be unlocked before it can be deleted. If the system you want 
to delete is the default boot system, you need to select a new default boot system 
before the system can be deleted. 

You cannot delete a system version through the Management Console; you must 
use the CLI. 

To delete a system: 

At the (config) command prompt: 

SGOS# (config) installed-systems 

SGOS# (config installed-systems) delete system_number 
where system_number is the system you want to delete. 



Disk Reinitialization 

You can reinitialize disks on a multi-disk ProxySG. You cannot reinitialize the disk 
on a single-disk ProxySG. If you suspect a disk fault in a single-disk system, 
contact Blue Coat Technical Support for assistance. 

About Reinitialization 

Reinitialization is done online without rebooting the system. (For more 
information, refer to the #disk command in the Volume 11: Command Line Interface 
Reference.) 
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Important: Do not reinitialize disks while the system is proxying traffic. 



SGOS operations, in turn, are not affected, although during the time the disk is 
being reinitialized, that disk is not available for caching. Only the master disk 
reinitialization restarts the ProxySG. 

Only persistent objects are copied to a newly-reinitialized disk. This is usually not 
a problem because most of these objects are replicated or mirrored. If the 
reinitialized disk contained one copy of these objects (which is lost), another disk 
contains another copy. 

You cannot reinitialize all of the ProxySG disks over a very short period of time. 
Attempting to reinitialize the last disk in a system before critical components can 
be replicated to other disks in the system causes a warning message to appear. 

Immediately after reinitialization is complete, the ProxySG automatically starts 
using the reinitialized disk for caching. 



Note: If a disk containing an unmirrored event or access log is reinitialized, 
the logs are lost. Similarly, if two disks containing mirrored copies of the logs 
are reinitialized, both copies of the logs are lost. 



Hot Swapping Disk Drives in 810 and 8100 ProxySG Appliances 

On multi-disk 810 and 8100 ProxySG appliances, you can hot swap any disk 
(including the left-most disk, which on earlier appliances was known as the 
master disk — the newer platforms do not have this concept) as long as there is one 
operational disk drive. When you hot swap a disk drive, the data on the existing 
disk is transferred to the new disk and vice versa. Because the data from each disk 
is copied back and forth, you might need to change the default boot version. This 
is because the ProxySG always boots the newest OS — if the disk drive had a 
newer OS, the ProxySG tries to boot it — even if you had previously set a different 
default boot version. Thus, you should reset your default boot version after hot 
swapping a disk drive. See "Setting the Default Boot System" on page 69 for more 
information. 

Hot Swapping Disk Drives in 800 and 8000 ProxySG Appliances 

On a multi-disk ProxySG, the master disk is the leftmost valid disk. Valid means 
that the disk is online, has been properly initialized, and is not marked as invalid 
or unusable. 

If the current master disk is taken offline, reinitialized, or declared invalid or 
unusable, the leftmost valid disk that has not been reinitialized since restart 
becomes the master disk. Thus, as disks are reinitialized in sequence, a point is 
reached where no disk can be chosen as the master. At this point, the current 
master disk is the last disk. If this disk is taken offline, reinitialized, or declared 
invalid or unusable, the ProxySG is restarted. 
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On a multi-disk ProxySG, a disk is reinitialized by setting it to empty and copying 
pre-boot programs, boot programs, and starter programs, and system images 
from the master disk to the reinitialized disk. 

Single-Disk ProxySG Appliance 

The disk on a single-disk ProxySG cannot be reinitialized by the customer. If you 
suspect a disk fault in a single-disk ProxySG, contact Blue Coat Technical Support 
for assistance. 



Deleting Objects from the ProxySG Appliance 

The ability to delete either individual or multiple objects from the ProxySG makes 
it easy to delete stale or unused data and make the best use of the storage in your 
system. 



Note: The maximum number of objects that can be stored in a ProxySG is affected 
by a number of factors, including the SGOS version it is running and the 
hardware platform series. 



This feature is not available in the Management Console. Use the CLI instead. 

To delete a single object from the ProxySG: 

At the (config) prompt, enter the following command: 

SGOS# (config) content delete url url 

To delete multiple objects from the ProxySG: 

At the (config) prompt, enter the following command: 

SGOS# (config) content delete regex regex 
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This chapter describes the various resources that provide diagnostic 

information: 

□ Heartbeats: Enabled by default. Heartbeats (statistics) are a diagnostic tool 
used by Blue Coat, allowing them to proactively monitor the health of 
appliances. 

□ Core images: Created when there is an unexpected system restarted. This 
stores the system state at the time of the restart, enhancing the ability for 
Blue Coat to determine the root cause of the restart. 

□ Syslnfo (System Information): Syslnfo provides a snapshot of statistics and 
events on the ProxySG. 

□ PCAP: An onboard packet capture utility that captures packets of Ethernet 
frames going in or out of an ProxySG. 

□ Policy trace: A policy trace can provide debugging information on policy 
transactions. This is helpful, even when policy is not the issue. For 
information on using policy tracing, refer to Volume 10: Content Polio/ 
Language Guide. 

□ Event Logging: The event log files contain messages generated by software 
or hardware events encountered by the appliance. For information on 
configuring event logging, see "Setting Up Event Logging and Notification" 
on page 17. 

□ Access Logging: Access logs allow for analysis of Quality of Service, 
content retrieved, and other troubleshooting. For information on Access 
Logging, refer to Volume 8: Access Logging. 

□ CPU Monitoring: With CPU monitoring enabled, you can determine what 
types of functions are taking up the majority of the CPU. 

To test connectivity, use the following commands from the enable prompt: 

□ ping: Verifies that a particular IP address exists and is responding to 
requests. 

□ traceroute: Traces the route from the current host to the specified 
destination host. 

□ test http get path_to_URL\ Makes a request through the same code paths 
as a proxied client. 

□ display path_to_URL : Makes a direct request (bypassing the cache). 

□ show services: Verifies the port of the Management Console configuration. 

□ show policy: Verifies if policy is controlling the Management Console. 
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For information on using these commands, refer to Chapter 2: "Standard and 
Privileged Mode Commands" in the Volume 11: Command Line Interface Reference. 



Note: If you cannot access the Management Console at all, be sure that you are 
using HTTPS (https : //ProxySG ip address : 8 08 2 ) . If you want to use HTTP, 
you must explicitly enable it before you can access the Management Console. 



Topics in this Chapter 

This chapter includes information about the following topics: 

□ "Diagnostic Reporting (Service Information)" on page 74 (This includes taking 
snapshots of the system.) 

□ "Packet Capturing (the Job Utility)" on page 81 

□ "Core Image Restart Options" on page 87 

□ "Diagnostic Reporting (Heartbeats)" on page 88 

□ "Diagnostic Reporting (CPU Monitoring)" on page 89 

If the ProxySG does not appear to work correctly and you are unable to diagnose 
the problem, contact Blue Coat Technical Support. 

Diagnostic Reporting (Service Information) 

The service information options allow you to send service information to Blue 
Coat using either the Management Console or the CLI. You can select the 
information to send, send the information, view the status of current transactions, 
and cancel current transactions. You can also send service information 
automatically in case of a crash. 

Sending Service Information Automatically 

Enabling automatic service information allows you to enable the transfer of 
relevant service information automatically whenever a crash occurs. This saves 
you from initiating the transfer, and increases the amount of service information 
that Blue Coat can use to solve the problem. The core image, system 
configuration, and event log are system-use statistics that are sent for analysis. If a 
packet capture exists, it is also sent. 

The auto-send feature requires that a valid Service Request is entered. If you do 
not have a Service Request open you must first contact Blue Coat Technical 
Support. 



Important: A core image and packet capture can contain sensitive information — 

for example, parts of an HTTP request or response. The transfer to Blue Coat is 
encrypted, and therefore secure; however, if you do not want potentially sensitive 
information to be sent to Blue Coat automatically, do not enable the automatic 
service information feature. 
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To send service information automatically: 

1. Select Maintenance > Service Information > Send Information > General. 




2. To send core image service information to Blue Coat automatically, select 

Enable auto-send. 

3. Enter the service-request number that you received from a Technical Support 
representative into the Auto Send Service Request Number field (the service- 
request number is in the form xx-xxxxxxx or x-xxxxxxx). 

4. Click Apply. 

5. (Optional) To clear the service-request number, clear the Auto Send Service 
Request Number field and click Apply. 

Related CLI Syntax to Send Service Information 

To send service information automatically: 

1. To enable (or disable) the automatic service information feature, enter the 
following commands at the (config) command prompt: 

SGOS# (config) diagnostics 

SGOS# (config diagnostics) service-info 

SGOS# (diagnostics service-info) auto {enable | disable} 

SGOS# (diagnostics service-info) auto sr-number sr_number 

2. (Optional) To clear the service-request number, enter the following command: 

SGOS# (diagnostics service-info) auto no sr-number 

Managing the Bandwidth for Service Information 

You can control the allocation of available bandwidth for sending service 
information. Some service information items are large, and you might want to 
limit the bandwidth used by the transfer. Changing to a new bandwidth 
management class does not affect service information transfers already in 
progress. However, changing the details of the bandwidth management class 
used for service information, such as changing the minimum or maximum 
bandwidth settings, affects transfers already in progress if that class was selected 
prior to initiating the transfer. 



Note: Before you can manage the bandwidth for the automatic service 
information feature, you must first create an appropriate bandwidth- 
management class. Refer to Volume 5: Advanced Networking for information about 
creating and configuring bandwidth classes. 
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To manage bandwidth for service information: 

1. Select Maintenance > Service Information > Send Information > General. 

2. To manage the bandwidth of automatic service information, select a 
bandwidth class from the Service Information Bandwidth Class drop-down menu. 

3. Click Apply. 

4. (Optional) To disable the bandwidth-management of service information, 
select none from the Service Information Bandwidth Class drop-down menu; click 
Apply. 

Related CLI Syntax to Manage Bandwidth for Service Information 

SGOS# (diagnostics service-info) bandwidth-class bw_class_name 

Configure Service Information Settings 

The service information options allow you to send service information to Blue 
Coat using either the Management Console or the CLI. You can select the 
information to send, send the information, view the status of current transactions, 
and cancel current transactions using either the Management Console or the CLI. 
For information about sending service information automatically, see "Sending 
Service Information Automatically" on page 74. 



Important: You must specify a service-request number before you can send 
service information. See Blue Coat Technical Support at: http:/ / 
www.bluecoat.com/ support/index.html for details on opening a service 
request ticket. 



The following list details information that you can send: 

□ Packet Capture 

□ Event Log 

□ Memory Core 

□ Policy Trace File 

□ SYSInfo 

□ Access Logs (can specify multiple) 

□ Snapshots (can specify multiple) 

□ Contexts (can specify multiple) 

To send service information: 

1. Select Maintenance > Service Information > Send Information > Send Service 
Information. 
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a. Enter the service-request number that you received from a Technical 
Support representative (the service-request number is in the form xx- 
xxxxxxx or 

x-xxxxxxx). 

b. Select the appropriate options (as indicated by a Technical Support 
representative) in the Information to send area. 



Note: Options for items that you do not have on your system are grayed out 
and cannot be selected. 



c. (Optional) If you select Access Logs, Snapshots, or Contexts, you must 
also click Select access logs to send. Select snapshots to send, or Select 
contexts to send and complete the following steps in the corresponding 
dialog that displays: 
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d. To select information to send, highlight the appropriate selection in the 

Access Logs/Snapshots/Contexts Not Selected field and click Add to 
Selected. 

e. To remove information from the Access Logs/Snapshots/Contexts Selected 
field, highlight the appropriate selection and click Remove from Selected. 

f. Click Ok to close the dialog. 

3. Click Send. 




4. Click Ok in the Information upload started dialog that appears. 
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Related CLI Syntax to Send Service Information 

SGOS# (diagnostics service-info) [subcommands] 



Creating and Editing Snapshot Jobs 

The snapshot subsystem periodically pulls a specified console URL and stores it 
in a repository offering valuable resources for Blue Coat customer support in 
diagnosing problems. 

By default, two snapshots are defined. The first takes a snapshot of the system 
information URL once every 24 hours. The second snapshot takes an hourly 
snapshot of the system information statistics. Both of these snapshot jobs keep the 
last 30 snapshots. 

Determining which console URL to poll, the time period between snapshots, and 
how many snapshots to keep are all configurable options for each snapshot job. 



To create a new snapshot job: 

1. Select Maintenance > Service Information > Snapshots. 



2a 



Snapshots 

■ Snapshots 



Snapshot Jobs 
sysinfo_stats 



New 



Add list item 



Add Snapshot Job 



test o- 



2b 



[ K OK Cancel 



view All bnapsnots 



2. Perform the following steps: 

a. Click New. 

b. Enter a snapshot job into the Add list item dialog that displays; click 

Ok. 



3. Click Apply. 

4. (Optional) To view snapshot job information, click View All Snapshots. Close the 
window that opens when you are finished viewing. 



Related CLI Syntax to Send Service Information 

SGOS# (config diagnostics) snapshot create snapshot_name 
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To edit an existing snapshot job: 

1. Select Maintenance > Service Information > Snapshots. 

2. Select the snapshot job you want to edit (highlight it). 

3. Click Edit. 

The Edit Snapshot dialog displays. 




4. Enter the following information into the Edit Snapshot fields: 

a. Target: Enter the object to snapshot. 

b. Interval (minutes): Enter the interval between snapshot reports. 

c. Total Number To Take: Enter the total number of snapshots to take or 
select Infinite to take an infinite number of snapshots. 

d. Maximum Number To Store: Enter the maximum number of snapshots to 
store. 

e. Enabled: Select this to enable this snapshot job or deselect it to disable 
this snapshot job. 

5. (Optional) Click View URL List to open a window displaying a list of URLs; 

close the window when you are finished viewing. 

6. (Optional) Click View Snapshots to open a window displaying snapshot 

information; close the window when you are finished viewing. 

7. (Optional) Click Clear Snapshots to clear all stored snapshot reports. 
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Related CLI Syntax to Edit an Existing Snapshot Job 



□ To enter configuration mode: 

SGOS# (config) diagnostics 

□ The following subcommands are available: 



SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
100 ) 

SGOS# (config snapshot snapshot_name) 
SGOS# (config snapshot snapshot_name) 



interval minutes 

keep number _to_keep (from 1 - 

take {infinite | number_to_take } 
target object_to_fetch 



diagnostics) snapshot edit snapshot_name 
snapshot snapshot_name) {disable | enable} 
snapshot snapshot_name) 
snapshot snapshot_name) 



Packet Capturing (the Job Utility) 

You can capture packets of Ethernet frames going into or leaving a ProxySG. 
Packet capturing allows filtering on various attributes of the frame to limit the 
amount of data collected. The maximum PCAP size allowed is 100MB. Any 
packet filters must be defined before a capture is initiated, and the current packet 
filter can only be modified if no capture is in progress. 

The pcap utility captures all received packets that are either directly addressed to 
the ProxySG through an interface's MAC address or through an interface's 
broadcast address. The utility also captures transmitted packets that are sent from 
the appliance. The collected data can then be transferred to the desktop or to Blue 
Coat for analysis. 



Note: Packet capturing increases the amount of processor usage performed in 
TCP/IP. 

To analyze captured packet data, you must have a tool that reads Packet Sniffer 
Pro 1.1 files (for example. Ethereal or Packet Sniffer Pro 3.0). 



PCAP File Name Format 

The name of a downloaded packet capture file has the format: 
bluecoat_date ^filter-expression . cap, revealing the date and time (UTC) of the 
packet capture and any filter expressions used. Because the filter expression can 
contain characters that are not supported by a file system, a translation can occur. 
The following characters are not translated: 

□ Alphanumeric characters (a-z, A-Z, 0-9) 

□ Periods (.) 

Characters that are translated are: 

□ Space (replaced by an underscore) 

□ All other characters (including the underscore and dash) are replaced by a 
dash followed by the ASCII equivalent; for example, a dash is translated to 
- 2 D and an ampersand (&) to -2 6 . 
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Common PCAP Filter Expressions 

Packet capturing allows filtering on various attributes of the frame to limit the 
amount of data collected. PCAP filter expressions can be defined in the 
Management Console or the CLI. Below are examples of filter expressions; for 
PCAP configuration instructions, see "Configuring Packet Capturing" on page 83. 

Some common filter expressions for the Management Console and CLI are listed 
below. The filter uses the Berkeley Packet Filter format (BPF), which is also used 
by the tcpdump program. A few simple examples are provided below. If filters 
with greater complexity are required, you can find many resources on the Internet 
and in books that describe the BPF filter syntax. 



Note: Some qualifiers must be escaped with a backslash because their identifiers 
are also keywords within the filter expression parser. 

□ ip proto protocol 

where protocol is a number or name (icmp, udp, top). 

□ ether proto protocol 

where protocol can be a number or name (ip, arp, rarp). 



Table 4-1 PCAP Filter Expressions 



Filter Expression 


Packets Captured 


ip host 10.25.36.47 


Captures packets from a specific host with IP 
address 10.25.36.47. 


not ip host 10.25.36.47 


Captures packets from all IP addresses except 

10.25.36.47. 


ip host 10.25.36.47 and ip 
host 10.25.36.48 


Captures packets sent between two IP addresses: 

10.25.36.47 and 10.25.36.48. 

Packets sent from one of these addresses to other 
IP addresses are not filtered. 


ether host 00 : eO : 81 : 01 : f 8 : fc 


Captures packets to or from MAC address 

00:e0:81:01:f8:fc:. 


port 80 


Captures packets to or from port 80. 


ip sr www.bluecoat.com and 
ether broadcast 


Captures packets that have IP source of 
www.bluecoat.com and ethernet broadcast 
destination. 



Using Filter Expressions in the CLI 

To add a filter to the CLI, use the command: 

SGOS# pcap filter expr parameters 

To remove a filter, use the command: 

SGOS# pcap filter <enter> 
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Important: Define cli filter expr parameters with double-quotes to 

avoid confusion with special characters. For example, a space is interpreted 
by the CLI as an additional parameter, but the CLI accepts only one 
parameter for the filter expression. Enclosing the entire filter expression in 
quotations allows multiple spaces in the filter expression. 



Configuring Packet Capturing 

Use the following procedures to configure packet capturing. If a download of the 
captured packets is requested, packet capturing is implicitly stopped. In addition 
to starting and stopping packet capture, a filter expression can be configured to 
control which packets are captured. For information on configuring a PCAP filter, 
see "Common PCAP Filter Expressions" on page 82. 



Note: Requesting a packet capture download stops packet capturing. 

To analyze captured packet data, you must have a tool that reads Packet Sniffer 
Pro 1.1 files (for example. Ethereal or Packet Sniffer Pro 3.0). 



To enable, stop, and download packet captures: 

1. Select Maintenance > Service Information > Packet Captures. 



2d 

2a 

2c 



Packet Captures 

r Packet Captures 



Start capture... 








Download capture 




Show statistics 



-c=» Direction: 
-^Capture filter: 



Both 



Interface: 



All 



phost 10.25.36.47 



2b 



2. Perform the following steps: 

a. In the Direction drop-down list, select the capture direction: in, out, or 
both. 



b. In the Interface drop-down list, select the interface on which to capture. 

c. To define or change the PCAP filter expression, enter the filter 
information into the Capture filter field. (See "Common PCAP Filter 
Expressions" on page 82 for information about PCAP filter expressions 
for this field.) To remove the filter, clear this field. 

d. Click Start Capture. The Start Capture dialog displays. 
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3. Select options, as required: 
a. Select a buffer size: 

• Capture all matching packets. 

• Capture first n matching packets. Enter the number of matching 
packets (n) to capture. If the number of packets reaches this limit, 
packet capturing stops automatically. The value must be between l 

and 1000000. 

• Capture last n matching packets. Enter the number of matching 
packets (n) to capture. Any packet received after the memory limit is 
reached results in the discarding of the oldest saved packet prior to 
saving the new packet. The saved packets in memory are written to 
disk when the capture is stopped. The value must be between l and 
1000000 . 

• Capture first n matching Kilobytes. Enter the number of kilobytes (n) 
to capture. If the buffer reaches this limit, packet capturing stops 
automatically. The value must be between i and 102400 . 
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• Capture last n matching Kilobytes. Enter the number of kilobytes (n) to 
capture. Any packet received after the memory limit is reached results 
in the discarding of the oldest saved packet prior to saving the new 
packet. The saved packets in memory are written to disk when the 
capture is stopped. The value must be between 1 and 102400. 

b. Optional — To truncate the number of bytes saved in each frame, enter 
a number in the Save first n bytes of each packet field. When configured, 
pcap collects, at most, n bytes of packets from each frame when writing 
to disk. The range is 1 to 65535 . 

c. Optional — To specify the number of kilobytes of packets kept in a core 
image, enter a value in the Include n K Bytes in core image field. You can 
capture packets and include them along with a core image. This is 
extremely useful if a certain pattern of packets causes the unit to 
restart unexpectedly. The core image size must be between 0 and 
102400. By default, no packets are kept in the core image. 

d. To start the capture, click Start Capture. The Start Capture dialog closes. 

The Start captures button in the Packet Captures tab is now grayed out 
because packet capturing is already started. 

You do not have to click Apply because all changes are applied when you 
start the packet capture. 

Packet Captures 




4 



4 . To stop the capture, click the Stop capture button. This button is grayed out if a 
packet capture is already stopped. 

5 . To download the capture, click the Download capture button. This button is 
grayed out if no file is available for downloading. 

Related CLI Syntax to Define Packet Capturing Settings 

SGOS# pcap filter parameters 
SGOS# pcap start [ subcommands ] 

To start, stop, and download packet captures through a browser: 

1 . Start your Web browser. 

2 . Enter the URL: https : //appliancelPaddress : 8082 / PCAP/Stati sties and log 

on to the appliance as needed. 

The Packet Capture browser displays. 
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Packet Capture 

Packet capture Statistics 

Current state: Stopped 
Filtering: Off 

Packet capture information: 

Packets captured : 181 
Bytes captured : 19,549 
Packets written : 181 
Bytes written : 24,745 
Coreimage ram used : 0 B 
Packets filtered through : 0 

Start packet capture 

Stop packet capture 

Download packet capture file 

3. Select the desired action: Start packet capture. Stop packet capture. Download packet 
capture file. 

You can also use the following URLs to configure these individually: 

□ To start packet capturing, use this URL: 

https : / / ProxySG_IP_address: 8082/PCAP/start 

□ To stop packet capturing, use this URL: 

https : / / Proxy SGIPaddress: 8082/PCAP/ stop 

□ To download packet capturing data, use this URL: 

https : // Proxy SG_IP_address : 8082/PCAP/ blue coat . cap 

Viewing Current Packet Capture Data 

Use the following procedures to display current capture information from the 
ProxySG. 

To view current packet capture statistics: 

1. Select Maintenance > Service Information > Packet Captures. 

2. To view the packet capture statistics, click the Show statistics button. 

A window opens displaying the statistics on the current packet capture 
settings. Close the window when you are finished viewing the statistics. 

Related CLI Syntax to View Packet Capture Data 

SGOS# pcap info 
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Uploading Packet Capture Data 

Use the following command to transfer packet capture data from the ProxySG to 
an FTP site. You cannot use the Management Console. After uploading is 
complete, you can analyze the packet capture data. 

SGOS# pcap transfer ftp :// url/pa th/ filename . cap username password 

Specify a username and password, if the FTP server requires these. The username 
and password must be recognized by the FTP server. 



Core Image Restart Options 

This option specifies how much detail is logged to disk when a system is 
restarted. Although this information is not visible to the user. Blue Coat Technical 
Support uses it in resolving system problems. The more detail logged, the longer 
it takes the ProxySG to restart. There are three options: 

□ None — no system state information is logged. Not recommended. 

□ Context only — the state of active processes is logged to disk. This is the default. 

□ Full — A complete dump is logged to disk. Use only when asked to do so by 
Blue Coat Technical Support. 

The default setting of Context only is the optimum balance between restart speed 
and the information needs of Blue Coat Technical Support in helping to resolve a 
system problem. 

You can also select the number of core images that are retained. The default value 
is 2; the range is between 1 and 10. 



To configure core image restart options: 

1. Select Maintenance > Core Images. 



Core Images 



O None 
® Context only 
QFull 



Number of stored context images: 



6 v 



2. Select a core image restart option. 

3. (Optional) Select the number of core images that are retained from the Number 

of stored images drop-down list. 



4. Click Apply. 



Related CLI Syntax for Configuring Core Image Restart Options 

SGOS# (config) restart core-image {context | full | keep number | none} 
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Diagnostic Reporting (Heartbeats) 

The ProxySG diagnostic reporting configurations are located in the Management 
Console (under the Maintenance > Hearbeats tab), and in the CLI (under the 
configuration diagnostics submode). 

The daily heartbeat is a periodic message that is sent every 24 hours and contains 
ProxySG statistical data. Besides telling the recipient that the device is alive, 
heartbeats also are an indicator of the appliance's health. Heartbeats do not 
contain any private information; they contain only aggregate statistics that can be 
use to preemptively diagnose support issues. The daily heartbeat is encrypted 
and transferred to Blue Coat using HTTPS. Administrators can have the daily 
heartbeat messages e-mailed to them by configuring event log notification. The 
content that is e-mailed to the administrator is the same content sent to Blue Coat. 

If monitoring is enabled. Blue Coat receives encrypted information over HTTPS 
whenever the appliance is rebooted. The data sent does not contain any private 
information; it contains restart summaries and daily heartbeats. This allows the 
tracking of ProxySG unexpected restarts due to system issues, and allows Blue 
Coat to address system issues preemptively. 

If the daily heartbeats setting is disabled, you can still send a heartbeat message 
by using the send-heartbeat command through the CLI (this feature is not 
available through the Management Console). 

To set daily heartbeats and/or Blue Coat monitoring: 

1. Select Maintenance > Heartbeats. 



Heartbeats 

- Monitoring: 

@ Enable daily heartbeats 
@ Enable Blue Coat Systems monitoring 



2. Select or deselect Enable daily heartbeats or Enable Blue Coat monitoring. 

3. Click Apply. 

Related CLI Syntax to Manage Heartbeats and Monitoring 

□ To enter configuration mode: 

SGOS# (config) diagnostics [Command_Modes] 

□ The following subcommands are available: 

SGOS# (config diagnostics) heartbeat enable 
SGOS# (config diagnostics) monitor enable 
SGOS# (config diagnostics) send-heartbeat 



Note: This option is not available through the Management Console. 
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Diagnostic Reporting (CPU Monitoring) 

You can enable CPU monitoring whenever you want to see the percentage of CPU 
being used by specific functional groups. For example, if you look at the CPU 
consumption and notice that compression/ decompression is consuming most of 
the CPU, you can change your policy to compress/ decompress more selectively 



Note: CPU monitoring uses about 2-3% CPU when enabled, and so is disabled by 
default. 



To configure and view CPU monitoring: 
1. Select Statistics > Advanced. 



Advanced 




2. Click the Diagnostics link. A list of links to Diagnostic URLs displays. 
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Advanced 




Diagnostics A 

* Show saved snaDshots 
/Diagnostics/Snapshot/[ <snapshot name>[/dow 

» CPU Monitor statistics 

* StoD the CPU Monitor 

* Staff the CPU Monitor 

* ShO/ information about the hardware installed 

Endpoint Mapper 

» Show list of eomaDDer URLs 
» Show EndDoint MaDDer database contents 

* Qhnu/ Pnrlnriinf N/lonnAr nfofi nfi 





3. To enable CPU monitoring, click the Start the CPU Monitor link; to disable it, 
click the Stop the CPU Monitor link. 



4. To view CPU monitoring statistics, click the CPU Monitor statistics link. You 
can also click this link from either of the windows described in Step 3. 

Related CLI Syntax to Configure and View CPU Monitoring 

SGOS# (config) diagnostics 

SGOS# (config diagnostics) cpu-monitor {disable | enable} 

SGOS# (config diagnostics) cpu-monitor interval seconds 

Notes 

□ The total percentages do not always add up because the display only shows 
those functional groups that are using 1% or more of the CPU processing 
cycles. 

□ The commands SGOS#(config) show cpu and SGOS# (config diagnostics) 
view cpu-monitor can sometimes display CPU statistics that differ by about 2- 
3%. This occurs because different measurement techniques are used for the 
two displays. 
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This chapter describes the statistics displayed in the Management Console. 
Statistics present a graphical view of the status for many system operations. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "Selecting the Graph Scale" on page 92 

□ "Viewing Traffic Distribution Statistics" on page 92 

□ "Viewing Traffic History" on page 97 

□ "Viewing ADN History" on page 101 

□ "Viewing Bandwidth Management Statistics" on page 101 

□ "Viewing ProxyClient Statistics" on page 101 

□ "Viewing Network Interface History Statistics" on page 101 

□ "Viewing System Statistics" on page 103 

□ "Viewing Traffic Distribution Statistics" on page 92 

□ "Active Sessions — Viewing Per-Connection Statistics" on page 110 

□ "Viewing the Access Log" on page 124 

□ "Using the CLI show Command to View Statistics” on page 124 
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Selecting the Graph Scale 

Altering the graph scale allows you to view the details on a filtered section of the 
values. For example, if you select clip 25% of peaks, the top 25% of the values are 
allowed to exceed the scale for the graph, showing greater detail for the 
remaining 75% of the values. To set the graph scale, select a value from the Graph 
scale should drop-down list. 

The graphs in the Statistics > ProxyClient History, Statistics > Protocol Details, and 
Statistics > System > Resources allow you to select a scale. 

Some of the graphs also offer the option of viewing statistics in bytes or objects. 
On these pages, you can switch among viewing modes by selecting the desired 
value from the drop-down list. You can also move your cursor over the bar 
graphs to dynamically display color-coded statistical information. 




Figure 5-1 Graph Scale Drop-Down Example 

Viewing Traffic Distribution Statistics 

Use the Statistics > Traffic Mix page to display traffic distribution and bandwidth 
statistics for traffic running through the ProxySG. You can display statistics for 
proxy types, or for services, and for various time periods. 
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Traffic Mix 



f — I =“C* : Service 0 Proxy Duration: Last Hour v 






0 Include bypassed bytes in graphs 



Default Ports... 



(kilobits per second) 



20 



7:55am 8:10am 

BW Usage BWGain 



8:25am 



t. 

8:40am 8:55am 



53.7% 

31.2% 

6.9% 

4.1% 

3.4% 



CIFS: 

HTTP: 

Kerberos: 

LDAP: 

Default: 

Endpoint Mapper: 0.3% 
Citrix ICA: 0% 

Other: 0% 

Client Bytes Server Bytes 




Service Name 


Proxy Type 


Client Bytes 


Server Bytes 


Bypassed Bytes 


Bandwidth Gain 


CIFS 


CIFS 


0 


0 


119,697 


1 n /a 1* 


Endpoint Mapper 


Endpoint Mapper 


0 


0 


888 


1 n ' a r 


FTP 


FTP 


0 


0 


0 


1 n ' a L 

i I v 



Total Client Bytes: 0 bytes Total Server Bytes: 0 bytes Total Bypassed Bytes: 217 54 KB Total Gain: 



lx 



Key: 

a: View aggregated bandwidth usage or gain graphs and statistics, 
b: View client or server byte-distribution charts and statistics. 

c: Review client bytes, server bytes, bypassed bytes, and bandwidth gain (per proxy or service). 

d: Review totals for client bytes, server bytes, bandwidth gain, bypassed bytes, and total gain (for all 
proxies or all services). 

e: Show default service bytes per port. 

f: Switch between proxy and service traffic mix statistics. 

g: Modify the historical reporting period. 

h: Include or exclude bypassed bytes. 



Figure 5-2 Traffic Mix Page 



Note: Bypassed bytes are bytes that are not intercepted by a service or proxy. 
When you include or exclude bypassed bytes, only the graph data and totals are 
affected. The table data in the lower half of the page is not altered. 



For a list of supported proxies, see "Supported Proxy Types" on page 98. 



Note: Endpoint Mapper proxy bytes are the result of Microsoft Remote 
Procedure Call (MSRPC) communication for MAPI traffic. 
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Clearing the statistics 

To reset traffic mix statistics, select Maintenance > System and Disks > Tasks, click Clear 
the trend statistics. 



The chart data updates automatically every 60 seconds. The units for the X and Y 
axis change according to the selected duration. For example, if you select Last 
Week, the X-axis displays the days of the week (the most current day is to the far 
right). 

The word "Hit" can display at the top of the BW Gain graph if the gain was the 
result of a cache hit. 

The colors in the bandwidth usage and bandwidth gain charts represent the 
following information: 

□ Green — Client bytes 

□ Blue — Server bytes 

□ Brown — Bypassed bytes 

□ Dark Blue — Bandwidth Gain (which includes bypassed bytes, if selected) 

In the tool tips (as shown in Figure 5-3), bandwidth gain and bandwidth 
savings are represented in black text. 

Hover the mouse cursor over the chart data to view detailed values. 



Figure 5-3 Traffic Mix Statistics — displayed when the cursor hovers over chart data 

Detailed Values 

The values that display when you hover the mouse cursor over the chart data, are 
called tool tips. These values can include: 



Related CLI Syntax to Clear Traffic Mix Statistics 



SGOS# clear-statistics persistent 



Understanding Chart Data 



C = 2,471 bps 

S = 2,062 bps 



B = 0 bps 

Gain = 1.2x 
Savings = 16.55% 
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□ C = Client-side traffic data rate. This statistic represents the data rate 
calculated (to and from the client) on the client-side connection. Data rate is 
represented by units of bits per second (bps) from measurements that are 
sampled at one- minute intervals. All application protocol-level bytes are 
counted, including application-protocol overhead such as HTTP and CIFS 
headers. 

□ S = Server-side traffic data rate. This statistic represents the data rate 
calculated (to and from the server) on the server-side connection. The data 
rate is represented by units of bits per second (bps) from measurements that 
are sampled at one-minute intervals. All application-level bytes are counted, 
including application overhead such as HTTP and CIFS headers. 

□ Unopt = Unoptimized traffic data rate. This statistic reflects the data rate of 
original traffic served to/ from the client or server prior to or subsequent to 
ADN optimization. The data rate is represented by units of bits per second 
(bps). 

□ Opt = Optimized traffic data rate. This statistic reflects the data rate of ADN- 
optimized traffic. Data rate is represented by units of bits per second (bps). 

□ B = Bypassed traffic data rate. This statistic reflects that data rate of bypassed 
traffic (traffic that is not intercepted by ProxySG services). The data rate is 
represented by units of bits per second (bps). 

□ Gain = Bandwidth Gain. This statistic, representing the overall bandwidth 
benefit achieved by object and byte caching, compression, protocol 
optimization, and object caching, is computed by the ratio: 

client bytes / server bytes 

and represented as a unit-less multiplication factor. Bandwidth-gain values 
are computed at one-minute intervals to correspond to the one-minute 
sampling of client and server bytes. For example, if server bytes displayed as 
10kbps and client bytes was 90kbps, the bandwidth gain is represented as 9x. 

□ Savings = Bandwidth Savings. This statistic, representing the overall 
bandwidth savings achieved over the WAN by utilizing object and byte 
caching, protocol optimization, and compression, is computed by 

(client bytes - server bytes) / client bytes 

and presented as a percentage. The Savings value provides a relative 
percentage of bandwidth savings on the WAN link, with 100% indicating no 
WAN traffic at all (no server bytes) and 0% indicating that no savings were 
achieved by client bytes equaling server bytes. Utilizing the numbers from the 
above example, the equivalent savings would be 8/9 = 0.89 = 89%. 

Refreshing the Data 

The data in the Traffic Mix page refreshes whenever you switch views or change 

the duration of the sample. If there is no activity, the data refreshes every 60 

seconds. 



95 



Volume 9: Managing the Blue Coat ProxySG Appliance 



About Bypassed Bytes 

Bypassed bytes are bytes that are not intercepted by a service or proxy. By default, 
bypassed bytes are included in the traffic mix views. When evaluating traffic 
statistics for potential optimization, it can be useful to include or exclude the 
bypassed byte statistics. 

If you include bypassed bytes in traffic mix views, it depicts the actual bandwidth 
gain achieved between the client and the server by representing the total number 
of optimized and unoptimized bytes exchanged on the link. Bandwidth gain 
statistics are lower in this view because bypassed bytes are unoptimized, using 
bandwidth with no corresponding caching or protocol optimization benefits. 

Exclude bypassed bytes statistics in the traffic mix view, by clearing the Include 
bypassed bytes in graphs check box. This view depicts bandwidth gain on the 
protocols that the ProxySG intercepts and their corresponding values. 

When you include or exclude bypassed bytes, only the graph data and totals are 
affected. The table data in the lower half of the page is not altered. 

About the Default Service Statistics 

The default service statistics represent bytes for traffic that has been bypassed 
because it did not match: 

□ An existing service listener 

□ Other rules, such as static or dynamic bypass 

To view the default service bytes, click Default Ports... in the upper-right section of 

the Statistics > Traffic Mix page. 




1 



r Default Service Per-Port Bytes: 



Last Cleared: Mon, 29 Jan 2007 18:41:00 UTC 



Port | 



Bytes 



1666 

8081 

1030 

1026 

1300 

1334 

1254 

1046 



2,010,967 

344,184 

25,581 

24,580 

13,678 

13,128 

10,608 

5,962 



Clear Statistics 



Refresh | 



Figure 5-4 Default Service Per Port Bytes Dialog 

Refer to Volume 2: Proxies and Proxy Services for more information about the 
default service. 
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Viewing Bandwidth Usage or Gain 

Select the BW Usage or BW Gain tab in the Statistics > Traffic Mix page to view 
bandwidth usage and bandwidth gain statistics for the ProxySG over the last 
hour, day, week, month, and year. To view per-service or per-proxy bandwidth 
usage statistics, go to the Traffic History (Statistics > Traffic History) page. 

In the BW Usage graph, the green display represents client data; the blue display 
represents server data; the brown represents bypassed bytes data. Hover your 
cursor over the graph to see the bandwidth usage and gain data. 

To view bandwidth usage or gain statistics: 

1. Select Statistics > Traffic Mix > BW Usage or BW Gain. 

2. Select a time period from the Duration drop-down list. 

3. (Optional) Select Include bypassed bytes in graphs to include statistics for bytes 
not intercepted by a proxy or service. 

4. Select the Service option to display the bandwidth usage statistics for all 
configured services. 

5. Select the Proxy option to display the bandwidth usage statistics for all 
supported proxies. 

Viewing Client Byte and Server Byte Traffic Distribution 

Select the Client Bytes or Server Bytes tabs in the Statistics > Traffic Mix page to view a 
pie chart of client byte or server byte statistics for the ProxySG over the last hour, 
day, week, month, or year. The pie charts display data for the top seven services or 
proxies; all other proxy and service statistics are categorized in the Other category. 
These items are arranged in a sorted order — the item that has highest percentage 
is displayed at the top of the list. 

To view client and server byte statistics: 

1. Select Statistics > Traffic Mix > Client Bytes or Server Bytes. 

2. Select a time period from the Duration drop-down list. 

3. (Optional) Select Include bypassed bytes in graphs to include statistics for bytes 
not intercepted by a proxy or service. 

4. Select the Service option to display the traffic distribution statistics for all 
services. 

5. Select the Proxy option to display the traffic distribution statistics for all 
supported proxies. 

Viewing Traffic History 

Use the Statistics > Traffic History page to monitor the traffic statistics for all traffic 
running through the ProxySG. You can display statistics for all proxy types or all 
services. 
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Key: 

a: View traffic history statistics by service or by proxy, 
b: Modify the historical reporting period, 
c: Include or exclude bypassed bytes. 

d: View totals for client bytes, server bytes, and bandwidth gain for the selected service or proxy type, 
e: Display charts for bandwidth usage, bandwidth gain, client bytes, and server bytes. 

Note: Bypassed bytes are bytes that are not intercepted by a service or proxy. 



Supported Proxy Types 

The Traffic History (and Traffic Mix) page displays data for the following proxy types 
(and services of these proxy types): 



• CIFS 

• HTTP 

• Inbound ADN (Only in 
Traffic History) 

• Quicktime 

• SSL 



• Endpoint Mapper 

• HTTPS Forward 
Proxy 

• MAPI 

• Real Media 

• TCP Tunnel 



• FTP 

• HTTPS Reverse Proxy 

• MSRPC 

• RTSP (Only in Traffic 
Mix) 

• Windows Media 



98 



Chapter 5: Statistics 



Supported Services 



CIFS 


• CitrixICA 


• Endpoint Mapper 


FTP 


• HTTP 


• HTTPS 


IMAP 


• IMAPS 


• Inbound ADN (Only in 
Traffic History) 


Kerberos 


• LDP 


• LDAP 


Lotus Notes 


• MMS 


• MS SQL Server 


MS Terminal Services 


• MySQL 


• NFS 


Novell Group Wise 


• Novell NCP 


• Oracle 


POP3 


• POP3S 


• RTSP (Only in Traffic 
Mix) 


SMTP 


• SSH 


• SSH Tunnel 


Shell 


• SnapMirror 


• Sybase SQL 


VNC 


• X Windows 





Note: Endpoint Mapper proxy bytes are the result of Remote Procedure Call 
(RPC) communication for MAPI traffic. 

Unsupported Proxy Types 

The Traffic History does not display data for the following proxy types: 

• DNS • IM • P2P 

• SOCKS • Telnet 

Understanding Chart Data 

The Traffic History chart data updates automatically every 60 seconds. The colors in 
the chart represent the following information: 

□ Bandwidth Usage chart: 

• Green — Client bytes 

• Blue — Server bytes 

• Brown — Bypassed bytes 

• Dark Blue — Bandwidth gain 

□ Bandwidth Gain chart 

• Dark Blue — Bandwidth gain 

□ Client and Server Byte charts: 

• Green — Intercepted client bytes 
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• Blue — Intercepted server bytes 

• Brown — Bypassed bytes 

Hover the mouse cursor over the chart data to view detailed values. 



C = 1,716 bps 

S = 1 ,641 bps 
— B = 0 bps 
Gain = 1.05x 



Savings = 4.37% 




Figure 5-5 Traffic History Statistics — displayed when the cursor hovers over chart data 



Refreshing the Data 

The data in the Traffic History page refreshes whenever you switch views or change 
the duration of the sample. If there is no activity, the data refreshes every minute. 

About Bypassed Bytes 

Bypassed bytes are bytes that are not intercepted by a service or proxy. By default, 
bypassed bytes are included in the traffic mix views. When evaluating traffic 
statistics for potential optimization, it can be useful to include or exclude the 
bypassed byte statistics. Include or exclude bypassed bytes in the charts and 
graphs by selecting or clearing Include bypassed bytes. 

Viewing Bandwidth Usage or Gain or Client Byte and Server Byte 
Traffic History 

To view client and server byte or bandwidth gain statistics: 

1. Select Statistics > Traffic History > BW Usage, BW Gain, Client Bytes, or Server Bytes. 

2. Generate history data for a service or proxy: 

Service history: 

a. Select the Service option. 

b. Select a service from the drop-down list. 
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Proxy history: 

a. Select the Proxy option. 

b. Select a proxy from the drop-down list. 

3. Select a time period from the Duration drop-down list 

4. (Optional) Select Include bypassed bytes in graphs to include statistics for bytes 
not intercepted by a proxy or service. 

Viewing ADN History 

The Statistics > ADN History pages allow you to view either usage statistics or gain 
statistics and either unoptimized bytes or optimized bytes through the ADN 
History tab. For configuring the Application Delivery Network, refer to Volume 5: 
Advanced Networking. 

Viewing Bandwidth Management Statistics 

The Statistics > Bandwidth Mgmt pages display the current class and total class 
statistics. Refer to the bandwidth management information in Volume 5: Advanced 
Networking for more information about these statistics. 

Viewing ProxyClient Statistics 

The Statistics > ProxyClient History pages display the ProxyClient Manager statistics. 
Refer to accelerating and controlling micro branch and mobile connections 
(ProxyClient) in Volume 5: Advanced Networking for more information. 

Viewing Network Interface History Statistics 

The Statistics > Network > Interface History page displays the traffic to and from each 
interface, including VLAN traffic, on the ProxySG. Refer to the Configuring 
Adapters and Virtual LANS chapter in Volume 1: Getting Started for more 
information. 

Viewing Protocol Statistics 

The Statistics > Protocol Details pages provide statistics for the protocols serviced by 
the ProxySG. These statistics should be used to compliment the statistics in the 

Traffic History and Traffic Mix pages. 

The descriptions of these statistics are located in the proxy services to which they 
pertain. The following list provides a listing of these statistics and describes 
where to find additional information. 

□ CIFS History 

The Statistics > Protocol Details > CIFS History pages enable you view statistics for 
CIFS objects, CIFS bytes read, CIFS bytes written, and CIFS clients. Refer to 
the CIFS chapter in Volume 2: Proxies and Proxy Services for more information 
about these statistics. 

□ HTTP/ FTP History 
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The Statistics > Protocol Details > HTTP/FTP History pages enable you view 
statistics for HTTP /HTTPS /FTP objects, HTTP /HTTPS /FTP bytes, HTTP/ 
HTTPS/FTP clients, client compression gain, and server compression gain. 
Refer to the HTTP and FTP chapters in Volume 2: Proxies and Proxy Services for 
more information about these statistics. 

For HTTP /FTP bandwidth usage statistics, see the Traffic Mix and Traffic History 
pages. 

□ IM History 

The Statistics > Protocol Details > IM History pages enable you view statistics for 
IM connection data, IM activity data, and IM clients. Refer to the IM chapter in 
Volume 3: Web Communication Proxies for more information about these 
statistics. 

□ MAPI History 

The Statistics > Protocol Details > MAPI History pages enable you view statistics for 
MAPI client bytes read, MAPI client bytes written, and MAPI clients. Refer to 
the MAPI chapter in Volume 2: Proxies and Proxy Services for more information 
about these statistics. 

For MAPI bandwidth usage statistics, see the Traffic Mix and Traffic History 
pages. 

□ P2P History 

The Statistics > Protocol Details > P2P History pages enable you view statistics for 
P2P data, P2P clients, and P2P bytes. Refer to the P2P information in Volume 6: 
The Visual Policy Manager and Advanced Policy for more information about 
these statistics. 

□ Shell History 

The Statistics > Protocol Details > Shell History pages enable you view statistics for 
shell clients. Refer to the shell proxy information in Volume 2: Proxies and Proxy 
Services for more information about these statistics. 

□ SOCKS History 

The Statistics > Protocol Details > SOCKS History pages enable you view statistics 
for SOCKS clients, SOCKS connections, client compression gain, and server 
compression gain. Refer to the SOCKS chapter in Volume 2: Proxies and Proxy 
Services for more information about these statistics. 

□ SSL History 

The Statistics > Protocol Details > SSL History pages enable you view statistics for 
unintercepted SSL data, unintercepted SSL clients, and unintercepted SSL 
bytes. Refer to the SSL chapter in Volume 2: Proxies and Proxy Services for more 
information about these statistics. 

□ Streaming History 
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The Statistics > Protocol Details > Streaming History pages enable you view 
statistics for Windows Media, Real Media, QuickTime, current streaming 
data, total streaming data, and bandwidth gain. Refer to the streaming 
chapter in Volume 3: Web Communication Proxies for more information about 
these statistics. 

For MMS bandwidth usage statistics, see the Traffic Mix and Traffic History 
pages. 

Viewing System Statistics 

The Statistics > System pages enable you to view: 

□ "Resources Statistics” on page 103 

□ "Contents Statistics" on page 107 

□ "Event Logging Statistics" on page 108 

□ "Failover Statistics" on page 109 

Resources Statistics 

The Resources tabs (CPU, Disk Use, Memory Use, and Data) allow you to view 
information about how the CPU, disk space and memory are being used, and how 
disk and memory space are allocated for cache data. You can view data allocation 
statistics through both the Management Console and the CLI, but disk and 
memory use statistics are available only through the Management Console. 

Viewing CPU Utilization 

Through the Management Console, you can view the average CPU utilization 
percentages for the ProxySG over the last 60 minutes, 24 hours, and 30 days. You 
can see the current CPU utilization statistic in the CLI. 
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To view CPU utilization: 

1. Select Statistics > System > Resources > CPU. 



CPU Conofrert Users | Os*. Use HeaayUse Data 





Men Tut Wed Thu Fn Sat Sin Mon 




Viewing Concurrent Users 

The Concurrent Users tab shows users (IP addresses) that are being intercepted by 
the ProxySG. The duration intervals that you can view concurrent use are for the 
last hour, day, week, month, and year. Only unique IP addresses of connections 
intercepted by proxy services are counted toward the user limit. 

To view concurrent users: 

Click Statistics > System > Resources > Concurrent Users. 
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CPU Concurrent Users 

Previous 60 minutes period 



Memory Use | Data 



l i l M i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i 
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l 



1:30pm 



1:45pm 



2:00pm 



2:15pm 



Previous 24 hours period 




Wed-2pm 



Wed-8pm 



Thu-2p 



Previous 7 days period 




Previous 31 days period 



l l l I I l l I 



l l l l 
l I 



Previous 52 weeks period 




Viewing Disk Use Statistics 

The Disk Use tab shows the ProxySG disk usage. The fields on the tab are: 

□ System Objects — the percentage of storage resources currently used for non- 
access-log system objects 

□ Access log — the percentage of storage resources currently used for the access 
log 

□ Cache in Use — the percentage of non-system, non-access-log resources 
currently in use for cached objects 

□ Cache available — the percentage of non-system, non-access-log resources still 
available for caching objects 

To view disk use statistics: 

Select Statistics > System > Resources > Disk Use. 



105 






Volume 9: Managing the Blue Coat ProxySG Appliance 




Viewing Memory Use Statistics 

The Memory Use tab shows the amount of memory used for RAM, the ProxySG 
itself, and for network buffers. The fields on the Memory Use tab are: 

□ RAM Cache — the amount of RAM that is used for caching 

□ System allocation — the amount of RAM allocated for the device system 

□ Network buffers — the amount of RAM currently allocated for network buffers 

To view memory use statistics: 

Select Statistics > System > Resources > Memory Use. 




Viewing Data Allocation Statistics in RAM and on Disk 

The Data tab shows the total and available disk space and RAM, and how they are 
currently allocated. The fields on the Data tab are described below. You can also 
view this information in the CLI. 

□ Maximum objects supported — The maximum number of objects that can be 
supported 

□ Cached objects — The number of objects that are currently cached 
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□ Disk used by system objects — The amount of disk space used by the system 
objects 

□ Disk used by access log — The amount of disk space used for access logs 

□ Total disk installed — The total amount of disk space installed on the device 

□ RAM used by cache — The amount of RAM allocated for caching 

□ RAM used by system — The amount of RAM allocated for system use 

□ RAM used by network — The amount of RAM allocated for network use 

□ Total RAM installed — The total amount of RAM installed 

To view data allocation statistics: 

Select Statistics > System > Resources > Data. 



CPU I Disk Use 


Memory Use 


Maximum objects supported: 


2,292,607 objects 


Cached Objects: 


27,797 objects 


Disk used by system objects: 


1 .5 gigabytes 


Disk used by access log: 


0 bytes 


Total disk installed: 


37.27 gigabytes 


RAM used by cache: 


374.61 megabytes 


RAM used by system: 


112.13 megabytes 


RAM used by network: 


864.03 kilobytes 


Total RAM installed: 


487.59 megabytes 



Contents Statistics 

The Contents tabs (Distribution and Data) allow you to see information about objects 
currently stored or served organized by size. The cache contents include all 
objects currently stored by the ProxySG. The cache contents are not cleared when 
the appliance is powered off. 

Viewing Cached Objects by Size 

The Distribution tab shows the objects currently stored by the ProxySG, ordered by 
size. 

To view the distribution of cache contents: 

Select Statistics > System > Contents > Distribution. 
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Distribution Data 

- Cached objects, distribution by size 




Viewing the Number of Objects Served by Size 

The Data tab displays the number of objects served by the ProxySG, organized by 
size. This chart shows you how many objects of various sizes have been served. 

To view the number of objects served: 

Select Statistics > System > Contents > Data. 



Distribution Data 



0-1 KB 


1 


9-1 0 KB 


9 


90-1 00 KB 


0 


1-2 KB 


130 


10-20 KB 


29 


100-200 KB 


1 


2-3 KB 


34 


20-30 KB 


12 


200-300 KB 


1 


3-4 KB 


15 


30-40 KB 


5 


300-400 KB 


0 


4-5 KB 


10 


40-50 KB 


2 


400-500 KB 


0 


5-6 KB 


7 


50-60 KB 


1 


500-600 KB 


0 


6-7 KB 


6 


60-70 KB 


0 


600-700 KB 


0 


7-8 KB 


37 


70-80 KB 


0 


700-800 KB 


0 


8-9 KB 


4 


80-90 KB 


0 


800-900 KB 


0 


.9-1 MB: 0 


9-10 MB 


0 


over 50 MB 


0 


1-2 MB 


0 


10-20 MB 


0 






2-3 MB 


0 


20-30 MB 


0 






3-4 MB 


0 


30-40 MB 


0 






4-5 MB 


0 


40-50 MB 


0 






5-6 MB 


0 










6-7 MB 


0 










7-8 MB 


0 










8-9 MB 


0 


Objects in cache: 


304 





Event Logging Statistics 

The event log contains all events that have occurred on the ProxySG. Configure 
the level of detail available by selecting Maintenance > Event Logging > Level (For 
details, see "Configuring Which Events to Log" on page 17). 

To view the event log: 

1. Select Statistics > System > Event Logging. 
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Event log: END OF LOG 



2005-11-29 19: 
2005-11-29 20. 
2005-11-29 20. 
2005-11-29 21: 
2005-11-29 21. 
2005-11-29 22. 
2005-11-29 22: 
2005-11-29 22. 
2005-11-29 22: 
2005-11-29 22: 
2005-11-2 9 22. 
2005-11-29 23: 
2005-11-29 23. 



45: 41+00: OOUTC 
00: 02+00: OOUTC 
33:29+00: OOUTC 
00: Ol+OO: OOUTC 
33:29+00: OOUTC 
00: OO+OO: OOUTC 
04:58+00: OOUTC 
04:59+00: OOUTC 
05: 02+00: OOUTC 
05: 02+00: OOUTC 
33:28+00: OOUTC 
00: 00+00: OOUTC 
33:28+00: OOUTC 



"Read/ write node entered from 10.15 
"Snapshot sysinfo stats has fetched 
"NTP: Periodic query of server ntp .* 
"Snapshot sysinfo stats has fetched 
"NTP: Periodic query of server ntp.* 
"Snapshot sysinfo stats has fetched 
"Enabling- compatibility mode for pr 
"Failed none for admin ssh2" 0 46 
"Administrator log-in from 10.150.1. 
"Accepted password for admin ssh2“ 
"NTP: Periodic query of server ntp.* 
" Snapshot sysinfo_stats has fetched 
"NTP: Periodic query of server ntp.* 



0 Poll f or new events I Log start « [ » Log end 



2. Click Log start or Log end or the forward and back arrow buttons to move 
through the event list. 

3. (Optional) Click the Poll for new events check box to poll for new events that 
occurred while the log was being displayed. 



Note: The Event Log cannot be cleared. 



Failover Statistics 

At any time, you can view statistics for any failover group you have configured 
on your system. 

To view failover statistics: 

1. Select Statistics > System > Failover. 



Status 



Failover Group: 



1 0.9.1 G.1 50 



Failover status: 

224.1.2.3 
10.9.16.150 
MASTER 
R (Real IP) 



Multicast address: 
Local address: 
State: 

Flags: 



2. From the Failover Group drop-down list, select the group to view. 

The information displayed includes the multicast address, the local address, the 
state, and any flags, where V indicates that the group name is a virtual IP address, 
R indicates that the group name is a physical IP address, and M indicates that this 
machine can be configured to be the master if it is available. 
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Active Sessions — Viewing Per-Connection Statistics 

Viewing active sessions enables you to view detailed statistics about proxied 
sessions, errored sessions, and bypassed connections. 

Viewing the proxied sessions provides information for diagnostic purposes. 
Viewing bypassed connections helps identify new types of traffic flowing through 
the ProxySG, as well as traffic flows that would benefit from optimization. 
Viewing errored sessions enables you to track details for troubleshooting. 

For specific information, see "Analyzing Proxied Sessions" on page 110, 
"Analyzing Bypassed Connections Statistics" on page 120, and "Viewing Errored 
Sessions and Connections" on page 122. 



Note: You can also view session statistics for ADN inbound connections, which is 
described in Volume 5, Advanced Networking, Chapter 2: "Configuring an 
Application Delivery Network." 



Example Scenarios Using Active Sessions for Troubleshooting 

An administrator is setting up a Common Internet File System (CIFS) over ADN 
and the CIFS does not appear to be working. The administrator can use the Active 
Sessions feature on the ProxySG to filter for any CIFS sessions that produced an 
error. If the ProxySG did not report an error, the administrator still has some 
information about the session that can help diagnose the failure without the use 
of a packet capture. 

The following list describes two other examples when using active sessions can 
help with troubleshooting problems. 

□ A site-wide problem is occurring and the administrator uses active sessions to 
diagnose the failure. If it is a problem with DNS, for example, there will be a 
large number of sessions with DNS errors. 

□ In protocols where errors might not be communicated another way (such as 
CIFS, TCP, or tunnels), active sessions record the actual error. 

Analyzing Proxied Sessions 

The Statistics > Active Sessions > Proxied Sessions page provides an immediate 
picture of the sessions and the protocol types, services, bytes, savings, and other 
statistics. These statistics are derived from WAN optimization and object caching 
and are associated with client traffic. 

The first time you view the Proxied Sessions page, no data is displayed. To display 
proxied sessions data, click Show. The statistics displayed in the window are not 
automatically updated. To update the statistics, click Show again. 
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Proxied Sessions Bypassed Connections 

Filter: None v show 



Q Limit Display to 
Q Show errored sessions only 



results 



ADN Inbound Connections 



r Proxied Sessions 



Client 


Server A S 


FW Duration 


Client Bytes 


Server Bytes 


Savings r 


► 10.2.15.93:2110 


catalog . video . msn . com : 80 


15 sec 


4,562 


4,502 


0.99% A 


► 10.2.15.93:2107 


i.l.cnn.net:80 


49 sec 


6,905 


6,802 


1.96% 


► 10.2.15.93:2105 


catalog . video . msn . com : 80 


55 sec 


10,286 


10,054 


1.96% 


► 10.2.15.93:2048 


i.l.cnn.net:80 


2.7 min 


31.795.478 


31. 779.4201 


0% v 


< 










l£| 



Download 



Total displayed sessions: 4 Total displayed connections: 17 



Important: Use the statistics on the Proxied Sessions pages as a diagnostic tool 
only. The Proxied Sessions pages do not display every connection running through 
the ProxySG. This feature displays only the active sessions — one client connection 
(or several), together with the relevant information collected from other 
connections associated with that client connection. Because it displays only open 
connections, you cannot use the data for reporting purposes. 



The Proxied Sessions page displays statistics for the following proxies: 



• CIFS 

• Endpoint Mapper 

• FTP 

• HTTP 



• HTTPS Forward Proxy 

• HTTPS Reverse Proxy 

• MAPI 



• MSRPC 

• QuickTime 

• Real Media 

• SSL 

• TCP Tunnel 

• Windows Media 



Viewing Proxied Sessions 

Client connections are available for viewing as soon as the connection request is 
received. However, if delayed intercept is enabled, the connection is not shown 
until the three-way handshake completes. Server connections are registered and 
shown in the table after the connect call completes. 
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To view proxied sessions: 

1. Select Sessions > Active Sessions > Proxied Sessions. 

2. Select a filter from the Filter drop-down list, enter the appropriate information 
(for client address/ port or sever address/ port) or make a selection from the 
drop-down list (for proxy or services). 



Important: It is important to select a filter before clicking Show to minimize 

the time it might take for a busy ProxySG to download the list of active 
sessions. 



3. (Optional) To limit the number of sessions to view, select Limit Display to and 
enter a number in the results field. This helps optimize performance when 
there is a large number of connections. 

4. (Optional) To view the current errored proxied sessions, select Show errored 
sessions only. For more details, see "Viewing Errored Sessions and 
Connections" on page 122. 

5. Click Show. 

Downloading Proxied Session Statistics 

To save and share session statistics data for diagnostic purposes, you can 
download the current proxied sessions statistics and save them in an Excel file. 

To download proxied session statistics: 

1. Click Download. The Save dialog displays. 

2. Navigate to the location to save the text file and click Save. The text file 
contains all the statistics for the current proxied sessions. 

3. (Optional) Save the data in an Excel file by copying the contents of the text file, 
opening Excel, and selecting Edit > Paste Special. 

Terminating a Proxied Session 

Terminating an active session causes any operation in progress on the session to 
be interrupted, so it is not advised to do so unless there is a specific condition that 
needs to be remedied. When you terminate a proxied session, the ProxySG 
terminates both the client-side and server-side connections. 

For example, a CIFS session might report an error that was preventing it from 
being accelerated. The administrator would then reconfigure some settings on the 
client or server to fix the problem. After that, the administrator could terminate 
the session on the ProxySG, which would force the client to connect again and 
allow the new connection to be accelerated. 

To terminate a proxied session: 

Select the session in the list and click Terminate Session. 
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About the Proxied Sessions Statistics 

When reviewing the proxied session statistics, note that: 

□ Active client and server connections are displayed in black. 

□ Inactive connections are displayed in gray 

□ Errored connections are displayed in red (when you select the Show errored 
sessions only check box). 

□ Session and connection totals are displayed on the bottom left side of the 
page. 

The following table describes the per-column statistics and the various icons on 

the Proxied Sessions page. 



Table 5-1 Column and Icon Descriptions on the Proxied Sessions Page 



Column or Icon 


Description 


Client 


IP address and port of the client PC (or other downstream host). 
When the client connection is inactive, the contents of this 
column are unavailable (gray). A client connection can become 
inactive if, for example, a client requests a large object and then 
aborts the download before the ProxySG has finished 
downloading it into its cache. 

When the session has multiple client connections, a tree view is 
provided. See "Viewing Sessions with Multiple Connections" on 
page 117 for more information. 


Server 


Final destination of the request. 

By default, the hostname is displayed. However, if a user 
entered an IP address in the URL, the IP address is displayed. 
When you hold the cursor over the hostname or IP address, the 
following information displays: 

• Client-supplied destination IP 

• Destination server address (the final server address to which 
the proxy is connecting 

The following information displays only when it is available: 

• Address of the upstream forwarding host, if any 

• Address of the upstream SOCKS gateway, if any 
The contents of this column are unavailable if the server 
connection is inactive. This can occur when a download has 
completed (and the server connection is closed or returned to 
the idle pool), but the object is still being served to the client. 

If a server connection was never made (a pure cache hit case), 
the Server column displays the hostname (or IP address) of the 
requested server. 

Active server connections are shown in black; inactive 
connections are gray. 
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Table 5-1 Column and Icon Descriptions on the Proxied Sessions Page (Continued) 



Column or Icon 


Description 


A 


ADN. Indicates that the server connection is flowing over an 
ADN tunnel. If the icon does not display, it indicates that an 


s 


ADN tunnel is not in use. 
Encrypted ADN tunnel. 


S 

% 


SOCKS. Indicates that the upstream connection is being sent 
through a SOCKS gateway. If the icon does not display, it 
indicates that a SOCKS gateway is not in use. 


FW 


Forwarding. Indicates that the upstream connection is being 
sent through a forwarding host. If the icon does not display, it 


& 


indicates that forwarding is not in use. 


Duration 


Displays the amount of time the session has been established. 


Client Bytes 


Represents the number of bytes (to and from the client) at the 
socket level on the client connection. All application-level bytes 
are counted, including application overhead such as HTTP 
headers, CIFS headers, and so on. 

TCP and IP headers, packet retransmissions, and duplicate 
packets are not counted. 

See "About the Byte Totals" on page 118 for more information. 


Server Bytes 


Represents the number of bytes (to and from the server) at the 
socket level on the server connection. All application-level bytes 
are counted, including application overhead such as HTTP 
headers, CIFS headers, and so on. 

If the traffic is flowing through an ADN tunnel, the bytes are 
counted after ADN optimization, meaning that compressed 
byte counts are displayed. 

TCP and IP headers, packet retransmissions, and duplicate 
packets are not counted. 

See "About the Byte Totals" on page 118 for more information. 


Savings 


Displays the bandwidth gain for the session and the savings in 
bandwidth. 

When the request results in a pure cache hit, this column 
displays 100%. 


88 

o 


Compression. When displayed in color, this icon indicates that 
an ADN Tunnel is in use and gzip compression is active in 
either direction on that tunnel. 

This icon has three states: 

• Active (color icon) 

• Inactive (gray icon) 

• Not possible (not displayed) 
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Table 5-1 Column and Icon Descriptions on the Proxied Sessions Page (Continued) 



Column or Icon 


Description 


BC 

0101 

O 


Byte Caching. When displayed in color, this icon indicates that 
an ADN Tunnel is in use and byte-caching is active in either 
direction on that tunnel. 

This icon has three states: 

• Active (color icon) 

• Inactive (gray icon) 

• Not possible (not displayed) 


oc 


Object Caching. When displayed in color, this icon indicates 

that an HTTP, HTTPS, CIFS, Streaming, or FTP proxy is in use 

and the content is cacheable. 

This icon has three states: 

• Active (color icon) 

• Inactive (gray icon) 

• Not possible (not displayed) 

The icon: 

• Is unavailable if the content is non-cacheable (or for CIFS, 
when the entire connection is non-cacheable — not on an 
object-by-object basis). 

• Is not displayed for MAPI and TCP-Tunnel traffic. 

• Does not indicate a cache hit; it indicates only that the object 
is cacheable. 


p 

Ik 


Protocol Optimization. When displayed in color, this icon 
indicates that a proxy is in use that is capable of performing 
latency optimizations. These proxies include HTTP, HTTPS, 
CIFS, and MAPI. 

This icon has three states: 

• Active (color icon) 

• Inactive (gray icon) 

• Not possible (not displayed) 


BM 

S 


Bandwidth Management. When displayed in color, this icon 
indicates that either the client or server connection has been 
assigned to a bandwidth class. 

This icon has two states: 

• Active (color icon) 

• Inactive (gray icon) 


o 

LU 


Encryption. When displayed in color, this icon indicates that an 
ADN Tunnel is in use and encryption is active in either 
direction on that tunnel. 

This icon has three states: 

• Active (color icon) 

• Inactive (gray icon) 

• Not possible (not displayed) 
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Table 5-1 Column and Icon Descriptions on the Proxied Sessions Page (Continued) 



Column or Icon 


Description 


Service Name 


Displays the service used by the session. 

Even if a client connection is handed off to a different 
application proxy, this column shows the service name of the 
original service that intercepted the client connection. 


Protocol 


Displays the protocol used by the session. 


Detail 


Provides additional information. For example, it can indicate 

that a CIFS connection is "pass-through" due to SMB signing. 

The Detail column also displays the following errors: 

• Errors connecting upstream (TCP errors, ADN network 
errors) 

• Unexpected network errors after connecting (e.g., read 
errors) 

• Request-handling errors (parse errors, unknown method or 
protocol, unsupported feature) 

• Response-handling errors (parse errors, unknown method or 
protocol, unsupported feature, unexpected responses such as 
HTTP 500 errors from OCS) 

• Unexpected internal errors 

• DNS errors and DNS resolve failures 

• External service errors such as ICAP, BCAAA, and so on 

See "Viewing Errored Sessions and Connections" on page 122. 



Viewing Additional Information 

Place the cursor over the following components or fields to get more information: 

□ Table column headers — Displays the full name of the column header. 

□ Row values. 

□ Acceleration icons (C, BC, OC, P, BM) — Displays the icon identity. 

□ ADN, SOCKS, and FW icons — Displays the upstream host of that type being 
communicated with, if any. 

□ Client and Server — Displays the full hostname or IP address. 

About MMS Streaming Connections 

The Active Sessions feature displays connection statistics for MMS streams over 
HTTP, TCP, or UDP only. Multicast connections are not displayed. When an MMS 
stream is displayed, the service name is listed as HTTP or MMS (depending on the 
transport used) and the protocol indicates Windows Media. 



10 9 59 48:2597 msent .wmod llnwd net 80 14 sec 494 885 166.012 

Figure 5-6 MMS Streaming Connection Example 
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Viewing Sessions with Multiple Connections 

When multiple client or server connections are associated with a single session, 
the Client column provides a tree-view that allows you to expand the row to view 
more details about the associated connections. The tree view is represented by the 
► icon. 

The following figure shows an HTTP example of this tree view. 
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Figure 5-7 Multiple Server Connections Example 



HTTP 

The tree view displays (as shown above) for HTTP if multiple hosts are contacted 
during a session or if pipelining is used. 

FTP 

FTP uses multiple, concurrent connections. These are represented as separate 
rows in the tree view, as shown in the following figure. 



Client Server A S F... Duration Client Bytes Server Bytes Savings C BC OC P BM Service Name Protocol Detail 



10.9.59.48:3718 146.6.54.21:21 3sec 752 747] 



I • 10.9.59.48:3718 146.6.54.21:21 3 sec 324 31 9 | 2% | <» g FTP FTP 

• Osec 428 428 | 0% | Jg g FTP FTP 

Figure 5-8 FTP Connections Example 

CIFS, MAPI, and Endpoint Mapper do not display multiple connections. 

MMS 

The active sessions feature displays MMS streams that have a client associated 
with them. MMS streams that do not have a client associated with them 
(multicast, content management requests, and so on) are not displayed. MMS 
streams are displayed as follows: 

□ MMS UDP streams have two connections, one for data and one for control. 

□ MMS TCP streams have a single connection. 

□ MMS HTTP streams have a single connection. 

For additional information about streaming connections, see "About MMS 
Streaming Connections" on page 116. 

Expanding the Active Sessions Tree View 

When expanded, the tree view displays per-connection statistics for the session, 
as shown in the following example. To expand the results for a connection, click 
the arrow to the left of the client IP address. 
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Figure 5-9 Active Sessions Tree View (Expanded) 

The Savings column result differs according to the server or client byte totals: 

□ Zero client bytes: displays no savings. 

□ Zero client and server bytes: displays no savings. 

□ Client and server are greater than zero: displays the calculated savings. 

About the Byte Totals 

The client and server byte total is the sum of all bytes going to and from the client 
or server. All application-level bytes are counted, including application overhead 
such as HTTP headers, CIFS headers, and so on. TCP and IP headers, packet 
retransmissions, and duplicate packets are not counted. 

The following sections describe some of the factors that can affect the byte totals. 

ADN Tunnels 

If the traffic is flowing through an ADN tunnel, the bytes are counted after ADN 
optimization, meaning that compressed byte counts are displayed. 

Multiple Server Connections 

A single client connection can use many server connections. The server byte 
counts include the total bytes transferred over all server connections accessed 
over the lifetime of a client connection. Even though a server connection can serve 
many clients, the same server byte is never included in more than one client 
connection total. 

Aborted Downloads 

In some cases, you might see the server bytes increasing even after the client has 
closed the connection. This can occur when a client requests a large object and 
aborts the download before receiving the entire object. The server bytes continue 
to increase because the ProxySG is retrieving the object for caching. You can 
change this behavior by enabling the bandwidth gain mode. 

To enable the bandwidth gain mode: 

1. Select Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile. 

2. Select Enable bandwidth gain mode. 

3. Click Apply. 



118 





Chapter 5: Statistics 



An alternative way to do this is to add the following to policy: 

<cache> 

delete_on_abandonment (yes) 

Explicit Proxying and Pipelining 

If clients are explicitly proxied and the session has multiple connections or is 
pipelined, no client bytes are displayed and the expanded server connections 
display no savings when the tree view is shown. This is because the ProxySG is 
downloading the content before serving it to the client. 

What Is Not Displayed 

The Proxied Sessions page does not display statistics for: 

□ IM (Yahoo, AOL, MSN), DNS, SOCKS, and Telnet 

□ Inbound ADN connections (These display on the ADN Inbound Connections 
page.) 

□ Bridged connections 

□ Administrative connections (Management Console, SSH console, SNMP, 
DSAT, access-logging. Director, and so on) 

□ Off-box processing connections (ICAP, DRTR, and so on) 



Note: In some cases, an administrative or off-box connection might correspond to 
a specific client connection, for example, an ICAP AV scanning connection 
associated with a specific HTTP client connection. However, the byte counts 
collected from administrative or off-box connections are not included in the 
Active Sessions display. 



Filtering the Session Statistics 

Use the Filter drop-down list to filter the proxied session statistics. When you 
select a filter, a text field or drop-down list displays for you to enter or select the 
filtering criteria. 



Filter: Server Address v 


msn.com| 


Show 


y Limit Display to 


results 





y Show errored sessions only 



Figure 5-10 Filter List 



Note: Select Show errored sessions only to view errored sessions. See "Viewing 
Errored Sessions and Connections" on page 122. 



The following filters are available: 

□ Client Address: Filter by IP address only or IP address and subnet mask. 

□ Client Port: Filter by the client port number. 
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□ Server Address: Filter by IP address or hostname. Hostname filters 
automatically search for suffix matches. For example, if you filter for 
example.com, test.example.com is included in the results. 

□ Server Port: Filter by the server port number. 

□ Proxy: Select the proxy type from the drop-down list. The proxy types are 
listed on page 110. 

□ Service: Select an enabled service from the drop-down list. If you filter for a 
service that is not supported for active sessions (see "What Is Not Displayed" 
on page 119), the resulting filtering list will be empty. 

Viewing HTML and XML Views of Proxied Sessions Data 

Access the following URLs to get HTML and XML views of active session 
statistics: 

□ HTML: h ttps : //Proxy SG_IP: 8082/AS/Sessions/ 

□ XML: https :/ /ProxySGIP : 8082/AS/ProxiedConnecti ons/xml 

See Also 

□ "Analyzing Bypassed Connections Statistics" 

□ "Viewing Errored Sessions and Connections" 

Analyzing Bypassed Connections Statistics 

The Statistics > Sessions > Active Sessions > Bypassed Connections page displays data 
for all unintercepted TCP traffic. 

When the appliance is first installed in an inline deployment, all services are 
bypassed by default. By analyzing the connection data in the Bypassed Connections 
page, you can review the types of traffic flowing through the appliance to identify 
traffic flows that would benefit from optimization. The Bypassed Connections page 
is also useful for identifying new types of traffic flowing through the appliance. 

Viewing, Downloading, and Terminating Bypassed Connections 

The Bypassed Connections page displays data for connections that were not 
intercepted due to one of the following: 

□ A service has not been configured to intercept the traffic. 

□ A static or dynamic bypass rule caused the traffic to be bypassed. 

□ The interface transparent interception setting is disabled. 

□ Restrict intercept is configured. 

To view bypassed connections: 

1. Select Statistics > Sessions > Active Sessions > Bypassed Connections. 

2. Select a filter from the Filter drop-down list and click Show. 
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Important: It is important to select a filter before clicking Show to minimize 

the time it might take for a busy ProxySG to download the list of active 
sessions. 



3. (Optional) To limit the number of sessions to view, select Limit Display to and 
enter a number in the results field. This helps optimize performance when 
there is a large number of connections. 

4. (Optional) To view the current errored bypassed connections, select Show 
errored sessions only. For more details, see See "Viewing Errored Sessions and 
Connections" on page 122. 

5. Click Show. 



Note: See "Filtering the Session Statistics" on page 119 for more information 
about using the filters. 



Note the following: 

□ Unavailable connections (gray) indicate connections that are now closed. 

□ Previously-established connections displayed with (<-?->) text indicate that 
the direction of these connections is unknown. 

□ One-way connections are displayed in color. 

To download bypassed connections statistics: 

1. Click Download. The Save dialog displays. 

2. Navigate to the location to save the text file and click Save. The text file 
contains all the statistics for the current bypassed connections. 

3. (Optional) Save the data in an Excel file by copying the contents of the text file, 
opening Excel, and selecting Edit > Paste Special. 

To terminate a bypassed connection: 

Select a connection in the list and click Terminate Connection. 

About Bypassed Connection Statistics 

The following table describes the column headings on the Bypassed Connections 
page. 

Table 5-2 Table Column Heading Descriptions on the Bypassed Connections Page 



Column Heading 


Description 


Client 


IP address and port of the client PC (or other downstream host). 


Server 


Server IP address and port number. 


Duration 


Displays the amount of time the connection has been 
established. 
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Table 5-2 Table Column Heading Descriptions on the Bypassed Connections Page (Continued) 



Column Heading 


Description 


Bypassed Bytes 


Displays the total number of bypassed bytes for the connection. 


Service Name 


Displays the service used by the connection. 


Details 


Provides additional information. For example: 

• One-way traffic (forward) 

• One-way traffic (reverse) 

• Previously established 

• Bypassed because of network interface setting 



Note: ProxySG 5.3 bypasses CIFS sessions that require message signing or 
server signatures. Object caching and protocol optimization are inactive for 
these CIFS sessions, and the message in the Details field is Server requires security 
signatures. 



Viewing HTML and XML Views of Bypassed Connections Data 

Access the following URLs to get HTML and XML views of active session 
statistics: 

□ HTML: https ://ProxySG_IP: 8082/AS/BypassedConnections/ 

□ XML: https :/ /ProxySGIP : 8082/ AS/BypassedConnections/xml 

See Also 

a "Active Sessions — Viewing Per-Connection Statistics" 

□ "Example Scenarios Using Active Sessions for Troubleshooting" 

□ "About the Proxied Sessions Statistics" 

□ "Analyzing Proxied Sessions" 

a "Viewing Errored Sessions and Connections" 

Viewing Errored Sessions and Connections 

Although you can view current errored sessions on the Proxied Sessions and 
Bypassed Connections pages by selecting a check box, you can also view both 
current and historical errored sessions on the Statistics > Sessions > Errored Sessions 
pages. There are two pages: one for errored proxied sessions and one for errored 
bypassed connections. 

The Detail column displays the type of error received. For example, if you open a 
browser and enter a URL for which the hostname cannot be resolved, the 
information that displays in the Detail column DNS error: unresolved hostname 
(Network Error). 
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To view errored sessions or connections: 

1. Select Statistics > Sessions > Errored Sessions. Select the Proxied Sessions page or 
the Bypassed Connections page, depending on the type of Errored sessions you 
want to view. 

2. (Optional) To limit the number of sessions to view, select Limit Display to and 
enter a number in the results field. 

3. Select a filter from the Filter drop-down list and click Show. The errored 
connections display in red. 

4. Scroll to the right to display the Detail column and view error details. To sort 
by error type, click the Detail column header. The Age column displays how 
long it has been since that session ended. 
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See "About the Proxied Sessions Statistics" on page 113 for descriptions of each 
column and icon in the Errored Sessions pages. 



To terminate an errored session or connection: 

Select an errored session or connection in the list and click Terminate Session (for 
proxied Errored sessions) or Terminate Connection (for bypassed errored 
connections). 

Related Syntax to Clear Errored Connections 

#clear-errored-connections bypassed 
# cl ear- errored- connect ions proxied 

Downloading Errored Sessions or Connections Statistics 

For troubleshooting purposes, you can download errored session (proxied) or 
errored connection (bypassed) statistics and save the data in an Excel file. 

To download errored sessions or connections statistics: 

1. Click Download. The Save dialog displays. 

2. Navigate to the location to save the text file and click Save. The text file 
contains all the statistics for the errored sessions. 

3. (Optional) Save the data in an Excel file by copying the contents of the text file, 
opening Excel, and selecting Edit > Paste Special. 
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See Also 

□ "Active Sessions — Viewing Per-Connection Statistics" 

□ "Example Scenarios Using Active Sessions for Troubleshooting" 

□ "Analyzing Proxied Sessions" 

a "About the Proxied Sessions Statistics" 

□ "Analyzing Bypassed Connections Statistics" 

Viewing Health Monitoring Statistics 

The Statistics > Health Monitoring page enables you to get more details about the 
current state of the health monitoring metrics. Health monitoring tracks the 
aggregate health of the ProxySG and aids in focusing attention, if the health state 
changes. See Chapter 2: "Monitoring the ProxySG" on page 9 for information 
about health monitoring. 

Viewing Health Check Statistics 

Use the Statistics > Health Checks page to view the state of various health checks: 
whether the health check is enabled or disabled, if it is reporting the device or 
service to be healthy or sick, or if errors are being reported. Refer to the health 
check information in Volume 5: Advanced Netzvorking for more information. 

Viewing the Access Log 

The Statistics > Access Logging pages enable you to view the log tail, log size, and 
upload status of the access log. Refer to Volume 8: Access Logging for more 
information. 



Using the CLI show Command to View Statistics 

You can use the show command to view a variety of different statistics. The 
following output lists the show options pertaining to topics in this chapter. 
SGOS# show ? 



access-log 
bandwidth- gain 
bandwidth-management 
cif s 

content-distribution 

cpu 

disk 

efficiency 

epmapper 

event-log 

failover 

health- checks 

http 

http-stats 

im 

ip-stats 

p2p 



Access log settings 
Bandwidth gain settings 
Bandwidth management settings 
CIFS information 
Sizes of objects in cache 
CPU usage summary 
Disk status and information 
Efficiency statistics 
EndPoint Mapper information 
Event log settings 
Failover settings 
Health Checks statistics 
HTTP settings 
HTTP statistics 
IM information 
TCP/IP statistics 
Peer-to-peer information 
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proxy- services 
proxy- client 
rip 

resources 
session-monitor 
service- groups 
snmp 

streaming 

system-resource-metrics 



Information about proxy services 
ProxyClient settings 

Routing Information Protocol settings 
Allocation of system resources 
Session monitor 
Proxy service groups 
SNMP statistics 
Streaming information 



System Resource Metrics 



Viewing Advanced Statistics 



A variety of system statistics are located in the Advanced tab of the Management 
Console. 

To view system-wide advanced statistics: 

1. Select Statistics > Advanced. 

2. Click the appropriate link for the service you want to view. 

A list of categories for that service displays. 

3. To view the statistics for a particular category, click that category's link. 

A window opens, detailing the relevant statistics. 
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Glossary 



access control list — Allows or denies specific IP addresses access to a server. 

access log — A list of all the requests sent to a ProxySG. You can read an access 
log using any of the popular log-reporting programs. When a client uses HTTP 
streaming, the streaming entry goes to the same access log. 

account — A named entity that has purchased the ProxySG or the Entitlements 
from Blue Coat. 

activation code — A string of approximately 10 characters that is generated and 
mailed to customers when they purchase the ProxySG. 

active content stripping — Provides a way to identify potentially dangerous mobile 
or active content and scripts, and strip them out of a response. 

active content types — Used in the Visual Policy Manager. Referring to Web 
Access policies, you can create and name lists of active content types to be 
stripped from Web pages. You have the additional option of specifying a 
customized message to be displayed to the user 

administration access policy — A policy layer that determines who can access the 
ProxySG to perform administrative tasks. 

administration authentication policy — A policy layer that determines how 
administrators accessing the ProxySG must authenticate. 

AJAX — Acronym for Asynchronous JavaScript and XML, the technology used 
for live updating of Web objects without having to reload the entire page. 

Application Delivery Network (ADN) — A WAN that has been optimized for 
acceleration and compression by Blue Coat. This network can also be secured 
through the use of appliance certificates. An ADN network is composed of an 
ADN manager and backup ADN manager, ADN nodes, and a network 
configuration that matches the environment. 

ADN backup manager — Takes over for the ADN manager in the event it becomes 
unavailable. See ADN manager. 

ADN manager — Responsible for publishing the routing table to SG Clients (and 
to other ProxySG appliances). 

ADN optimize attribute — Controls whether to optimize bandwidth usage when 
connecting upstream using an ADN tunnel. 

A record — The central records of DNS, which link a domain or subdomain to an 
IP address. An A record can correspond to a single IP address or many IP 
addresses. 

asx rewrite — Allows you to rewrite URLs and then direct a client's subsequent 
request to the new URL. One of the main applications of ASX file rewrites is to 
provide explicit proxy-like support for Windows Media Player 6.4, which 
cannot set explicit proxy mode for protocols other than HTTP. 
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audit — A log that provides a record of who accessed what and how. 

authenticate-401 attribute — All transparent and explicit requests received on the port 
always use transparent authentication (cookie or IP, depending on the 
configuration). This is especially useful to force transparent proxy authentication 
in some proxy-chaining scenarios 

authenticated content — Cached content that requires authentication at the origin 
content server (OCS). Supported authentication types for cached data include 
basic authentication and IWA (or NTLM). 

authentication — Allows you to verify the identity of a user. In its simplest form, this 
is done through usernames and passwords. Much more stringent authentication 
can be employed using digital certificates that have been issued and verified by a 
Certificate Authority. See also basic authentication, proxy authentication, and SSL 
authentication. 

authentication realm — Authenticates and authorizes users to access SG services 
using either explicit proxy or transparent proxy mode. These realms integrate 
third-party vendors, such as LDAP, Windows, and Novell, with the Blue Coat 
operating system. 

authorization — The permissions given to an authenticated user. 



bandwidth — The amount of data you can send through a network or modem 
connection, usually measured in bits per second (bps). 

bandwidth class — A defined unit of bandwidth allocation. 

bandwidth class hierarchy — A gouping of bandwidth classes into a tree structure 
that specifies the relationship among different classes. You create a hierarchy by 
creating at least one parent class and assigning other classes as its children. 

bandwidth gain — Bandwidth gain is a calculation of the savings that occur when 
bandwidth is not consumed as a result of some form of optimization. 

For example, bandwidth gain for active sessions is calculated by subtracting the 
number of client bytes from the number of server bytes and dividing the result by 
the number of server bytes. 

(Client Bytes - Server Bytes) / Server Bytes 

bandwidth management — Classify, control, and, if needed, limit the amount of 
bandwidth used by network traffic flowing in or out of a ProxySG. 

basic authentication — The standard authentication for communicating with the 
target as identified in the URL. 

BCAAA — Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to 
manage authentication and authorization for IWA, CA eTrust SiteMinder realms, 
Oracle COREid, Novell, and Windows realms. The agent is installed and 
configured separately from SGOS 5.x and is available from the Blue Coat Web site. 

BCLP — Blue Coat Licensing Portal. 

byte-range support — The ability of the ProxySG to respond to byte-range requests 
(requests with a Range : HTTP header). 
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cache — An "object store," either hardware or software, that stores information 
(objects) for later retrieval. The first time the object is requested, it is stored, 
making subsequent requests for the same information much faster. 

A cache helps reduce the response time and network bandwidth consumption on 
future, equivalent requests. The ProxySG serves as a cache by storing content 
from many users to minimize response time and prevent extraneous network 
traffic. 

cache control — Allows you to configure which content the ProxySG stores. 

cache efficiency — A tab found on the Statistics pages of the Management Console 
that shows the percent of objects served from cache, the percent loaded from the 
network, and the percent that were non-cacheable. 

cache hit — Occurs when the ProxySG receives a request for an object and can serve 
the request from the cache without a trip to the origin server. 

cache miss — Occurs when the ProxySG receives a request for an object that is not 
in the cache. The ProxySG must then fetch the requested object from the origin 
server. 

cache object — Cache contents includes all objects currently stored by the ProxySG. 
Cache objects are not cleared when the ProxySG is powered off. 

Certificate Authority (CA) — A trusted, third-party organization or company that 
issues digital certificates used to create digital signatures and public key/ private 
key pairs. The role of the CA is to guarantee that the individuals or company 
representatives who are granted a unique certificate are who they claim to be. 

child class (bandwidth gain) — The child of a parent class is dependent on that parent 
class for available bandwidth (they share the bandwidth in proportion to their 
minimum/ maximum bandwidth values and priority levels). A child class with 
siblings (classes with the same parent class) shares bandwidth with those siblings 
in the same manner. 

cipher suite — Specifies the algorithms used to secure an SSL connection. When a 
client makes an SSL connection to a server, it sends a list of the cipher suites that it 
supports. 

client consent certificates — A certificate that indicates acceptance or denial of 
consent to decrypt an end user's HTTPS request. 

client-side transparency — A way of replacing the ProxySG IP address with the Web 
server IP address for all port 80 traffic destined to go to the client. This effectively 
conceals the ProxySG address from the client and conceals the identity of the 
client from the Web server. 

concentrator — A ProxySG, usually located in a data center, that provides access to 
data center resources, such as file servers. 

content filtering — A way of controlling which content is delivered to certain users. 
ProxySG appliances can filter content based on content categories (such as 
gambling, games, and so on), type (such as http, ftp, streaming, and mime type), 
identity (user, group, network), or network conditions. You can filter content 
using vendor-based filtering or by allowing or denying access to URLs. 
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default boot system — The system that was successfully started last time. If a system 
fails to boot, the next most recent system that booted successfully becomes the 
default boot system. 

default proxy listener — See proxy service (default). 

denial of service (DoS) — A method that hackers use to prevent or deny legitimate 
users access to a computer, such as a Web server. DoS attacks typically send many 
request packets to a targeted Internet server, flooding the server's resources and 
making the system unusable. Any system connected to the Internet and equipped 
with TCP-based network services is vulnerable to a DoS attack. 

The ProxySG resists DoS attacks launched by many common DoS tools. With a 
hardened TCP/IP stack, the ProxySG resists common network attacks, including 
traffic flooding. 

destination objects — Used in Visual Policy Manager. These are the objects that 
define the target location of an entry type. 

detect protocol attribute — Detects the protocol being used. Protocols that can be 
detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and 
Endpoint Mapper. 

diagnostic reporting — Found in the Statistics pane, the Diagnostics tab allows you to 
control whether Daily Heartbeats and/ or Blue Coat Monitoring are enabled or 
disabled. 

directives — Commands used in installable lists to configure forwarding and 
SOCKS gateway. 

DNS access — A policy layer that determines how the ProxySG processes DNS 
requests. 

domain name system (DNS) — An Internet service that translates domain names into 
IP addresses. 

dynamic bypass — Provides a maintenance-free method for improving performance 
of the ProxySG by automatically compiling a list of requested URLs that return 
various kinds of errors. 

dynamic real-time rating (DRTR) — Used in conjunction with the Blue Coat Web Filter 
(BCWF), DRTR (also known as dynamic categorization) provides real-time analysis 
and content categorization of requested Web pages to solve the problem of new 
and previously unknown uncategorized URLs — those not in the database. 

When a user requests a URL that has not already been categorized by the BCWF 
database (for example, a brand new Web site), the ProxySG dynamic 
categorization service analyzes elements of the requested content and assigns a 
category or categories. The dynamic service is consulted only when the installed 
BCWF database does not contain category information for an object. 



early intercept attribute — Controls whether the proxy responds to client TCP 
connection requests before connecting to the upstream server. When early 
intercept is disabled, the proxy delays responding to the client until after it has 
attempted to contact the server. 
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ELFF-compatible format — A log type defined by the W3C that is general enough to 
be used with any protocol. 

emulated certificates — Certificates that are presented to the user by the ProxySG 
when intercepting HTTPS requests. Blue Coat emulates the certificate from the 
server and signs it, copying the subjectName and expiration. The original 
certificate is used between the ProxySG and the server. 

encrypted log — A log is encrypted using an external certificate associated with a 
private key. Encrypted logs can only be decrypted by someone with access to the 
private key. The private key is not accessible to the ProxySG. 

EU LA — End user license agreement. 

event logging — Allows you to specify the types of system events logged, the size of 
the event log, and to configure Syslog monitoring. The ProxySG can also notify 
you by email if an event is logged. See also access logging. 

explicit proxy — A configuration in which the browser is explicitly configured to 
communicate with the proxy server for access to content. This is the default for 
the ProxySG and requires configuration for both the browser and the interface 
card. 

extended log file format (ELFF) — A variant of the common log file format, which has 
two additional fields at the end of the line — the referer and the user agent fields. 



fail open/closed — Failing open or closed applies to forwarding hosts and groups 
and SOCKS gateways. Fail open or closed applies when health checks are 
showing sick for each forwarding or SOCKS gateway target in the applicable fail- 
over sequence. If no systems are healthy, the ProxySG fails open or closed, 
depending on the configuration. If closed, the connection attempt simply fails. 

If open, an attempt is made to connect without using any forwarding target (or 
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no 
setting is specified. 

filtering — See content filtering. 

forward proxy — A proxy server deployed close to the clients and used to access 
many servers. A forward proxy can be explicit or transparent. 

FTP — See Native FTP and Web FTP. 



gateway — A device that serves as entrance and exit into a communications 
network. 



hardware serial number — A string that uniquely identifies the ProxySG; it is assigned 
to each unit in manufacturing. 

health check tests — The method of determining network connectivity, target 
responsiveness, and basic functionality. The following tests are supported: 
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• ICMP 

• TCP 

• SSL 

• HTTP 

• HTTPS 

• Group 

• Composite and reference to a composite result 

• ICAP 

• Websense 

• DRTR rating service 

health check type — The kind of device or service the specific health check tests. The 
following types are supported: 

• Forwarding host and forwarding group 

• SOCKS gateway and SOCKS gateway group 

• CAP service and ICAP service group 

• Websense off-box service and Websense off-box service group 

• DRTR rating service 

• User-defined host and a user-defined composite 

heartbeat — Messages sent once every 24 hours that contain the statistical and 
configuration data for the ProxySG, indicating its health. Heartbeats are 
commonly sent to system administrators and to Blue Coat. Heartbeats contain no 
private information, only aggregate statistics useful for pre-emptively diagnosing 
support issues. 

The ProxySG sends emergency heartbeats whenever it is rebooted. Emergency 
heartbeats contain core dump and restart flags in addition to daily heartbeat 
information. 

host affinity — The attempt to direct multiple connections by a single user to the 
same group member. Host affinity is closely tied to load balancing behavior; both 
should be configured if load balancing is important. 

host affinity timeout — The host affinity timeout determines how long a user remains 
idle before the connection is closed. The timeout value checks the user's IP 
address, SSL ID, or cookie in the host affinity table. 



inbound traffic (bandwidth gain) — Network packets flowing into the ProxySG. 
Inbound traffic mainly consists of the following: 

• Server inbound: Packets originating at the origin content server (OCS) and 
sent to the ProxySG to load a Web object. 
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• Client inbound: Packets originating at the client and sent to the ProxySG 
for Web requests. 

installable list — A list of configuration parameters that can be created using a text 
editor (either Blue Coat or another text editor) or through the CLI inline 
commands. The list can then be downloaded to the ProxySG from an HTTP server 
or locally from your PC. Configurations that can be created and installed this way 
include the SG Client, archiving, forwarding hosts, SOCKS gateways, ICP, policy 
files, and exceptions. 

integrated host timeout — An integrated host is an origin content server (OCS) that 
has been added to the health check list. The host, added through the 
integrate_new_hosts property, ages out of the integrated host table after 
being idle for the specified time. The default is 60 minutes. 

intervals — Time period from the completion of one health check to the start of the 
next health check. 

IP reflection — Determines how the client IP address is presented to the origin server 
for explicitly proxied requests. All proxy services contain a reflect-ip attribute, 
which enables or disables sending of client's IP address instead of the IP address 
of the ProxySG. 

issuer keyring — The keyring used by the ProxySG to sign emulated certificates. The 
keyring is configured on the appliance and managed through policy. 



licensable component (LC) — (Software) A subcomponent of a license; it is an option 
that enables or disables a specific feature. 

LCAMS — License Configuration and Management System. 

license — Provides both the right and the ability to use certain software functions 
within a Proxy AV (or ProxySG) appliance. The license key defines and controls 
the license, which is owned by an account. 

listener — The service that is listening on a specific port. A listener can be identified 
by any destination IP/subnet and port range. Multiple listeners can be added to 
each service. 

live content — Also called live broadcast. Used in streaming, it indicates that the 
content is being delivered fresh. 

LKF — License key file. 

load balancing — A way to share traffic requests among multiple upstream systems 
or multiple IP addresses on a single host. 

local bypass list — A list you create and maintain on your network. You can use a 
local bypass list alone or in conjunction with a central bypass list. 

local policy file — Written by enterprises (as opposed to the central policy file written 
by Blue Coat); used to create company- and department-specific advanced 
policies written in the Blue Coat Policy Language (CPL). 
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log facility — A separate log that contains a single logical file and supports a single 
log format. It also contains the file's configuration and upload schedule 
information as well as other configurable information such as how often to rotate 
(switch to a new log) the logs at the destination, any passwords needed, and the 
point at which the facility can be uploaded. 

log format — The type of log that is used: NCSA/ Common, SQUID, ELFF, 
SurfControl, or Websense. 

The proprietary log types each have a corresponding pre-defined log format that 
has been set up to produce exactly that type of log (these logs cannot be edited). In 
addition, a number of other EFFF type log formats are also pre-defined (im, main, 
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log 
fields for logging particular protocols understood by the ProxySG. It is also 
possible to create new log formats of type EFFF or Custom which can contain any 
desired combination of log fields. 

log tail — The access log tail shows the log entries as they get logged. With high 
traffic on the ProxySG, not all access log entries are necessarily displayed. 
However, you can view all access log information after uploading the log. 



M 

MACH5 — SGOS 5 MACH5 Edition. 

Management Console — A graphical Web interface that lets you to manage, 
configure, monitor, and upgrade the ProxySG from any location. The 
Management Console consists of a set of Web pages and Java applets stored on 
the ProxySG. The appliance acts as a Web server on the management port to serve 
these pages and applets. 

management information base (MIB) — Defines the statistics that management systems 
can collect. A managed device (gateway) has one or more MIBs as well as one or 
more SNMP agents, which implements the information and management 
functionality defined by a specific MIB. 

maximum object size — The maximum object size stored in the ProxySG. All objects 
retrieved that are greater than the maximum size are delivered to the client but are 
not stored in the ProxySG. 

Media Access Control (MAC) address — A unique value associated with a network 
adapter; also known as hardware address or physical address. For the ProxySG, it 
is a hardware address that is stored in each network card (such as an SSF 
accelerator card or a Quad GigE Fiber EX card) on the ProxySG. The MAC 
address uniquely identifies an adapter on a FAN and is a 12-digit hexadecimal 
number (48 bits in length). 

MIME/FILE type filtering — Allows organizations to implement Internet policies for 
both uploaded and downloaded content by MIME or FIFE type. 

multi-bit rate — The capability of a single stream to deliver multiple bit rates to 
clients requesting content from ProxySG appliances from within varying levels of 
network conditions (such as different connecting band widths and traffic). 

multicast — Used in streaming; the ability for hundreds or thousands of users to 
play a single stream. 
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multicast aliases — Used in streaming; a streaming command that specifies an alias 
for a multicast URL to receive an .nsc file. The .nsc files allows the multicast 
session to obtain the information in the control channel 

multicast station — Used in streaming; a defined location on the proxy where the 
Windows Media player can retrieve streams. A multicast station enables multicast 
transmission of Windows Media content from the cache. The source of the 
multicast-delivered content can be a unicast-live source, a multicast (live) source, 
and simulated live (video-on-demand content converted to scheduled live 
content). 

multimedia content services — Used in streaming; multimedia support includes Real 
Networks, Microsoft Windows Media, Apple QuickTime, MP3, and Flash. 



name inputing — Allows a ProxySG to resolve host names based on a partial name 
specification. When a host name is submitted to the DNS server, the DNS server 
resolves the name to an IP address. If the host name cannot be resolved. Blue Coat 
adds the first entry in the name-inputing list to the end of the host name and 
resubmits it to the DNS server 

native FTP — Native FTP involves the client connecting (either explicitly or 
transparently) using the FTP protocol; the ProxySG then connects upstream 
through FTP (if necessary). 

NCSA common log format — Blue Coat products are compatible with this log type, 
which contains only basic HTTP access information. 

network address translation (NAT) — The process of translating private network (such 
as intranet) IP addresses to Internet IP addresses and vice versa. This 
methodology makes it possible to match private IP addresses to Internet IP 
addresses even when the number of private addresses outnumbers the pool of 
available Internet addresses. 

non-cacheable objects — A number of objects are not cached by the ProxySG because 
they are considered non-cacheable. You can add or delete the kinds of objects that 
the appliance considers non-cacheable. Some of the non-cacheable request types 
are: 

• Pragma no-cache, requests that specify non-cached objects, such as when 
you click refresh in the Web browser. 

• Password provided, requests that include a client password. 

• Data in request that include additional client data. 

• Not a GET request. 

.nsc file — Created from the multicast station definition and saved through the 
browser as a text file encoded in a Microsoft proprietary format. Without an .nsc 
file, the multicast station definition does not work. 
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NTP — To manage objects in an appliance, a ProxySG must know the current 
Universal Time Coordinates (UTC) time. By default, the ProxySG attempts to 
connect to a Network Time Protocol (NTP) server to acquire the UTC time. The 
ProxySG includes a list of NTP servers available on the Internet, and attempts to 
connect to them in the order they appear in the NTP server list on the NTP tab. 



object (used in caching) — An object is the item that is stored in an appliance. These 
objects can be frequently accessed content, content that has been placed there by 
content publishers, or Web pages, among other things. 

object (used in Visual Policy Manager) — An object (sometimes referred to as a 
condition) is any collection or combination of entry types you can create 
individually (user, group, IP address/ subnet, and attribute). To be included in an 
object, an item must already be created as an individual entry. 

object pipelining — This patented algorithm opens as many simultaneous TCP 
connections as the origin server will allow and retrieves objects in parallel. The 
objects are then delivered from the appliance straight to the user's desktop as fast 
as the browser can request them. 

Online Certificate Status Protocol (OCSP) — An Internet protocol used for obtaining the 
revocation status of an X.509 digital certificate. OCSP was created as an 
alternative to certificate revocation lists (CRL), specifically addressing certain 
problems associated with using CRLs in a public key infrastructure (PKI). OCSP 
servers are called OCSP responders due to the request/ response nature of these 
messages. 

origin content server (OCS) — Also called origin server. This is the original source of 
the content that is being requested. An appliance needs the OCS to acquire data 
the first time, to check that the content being served is still fresh, and to 
authenticate users. 

outbound traffic (bandwidth gain) — Network packets flowing out of the ProxySG. 
Outbound traffic mainly consists of the following: 

• Client outbound: Packets sent to the client in response to a Web request. 

• Server outbound: Packets sent to an OCS or upstream proxy to request a 
service. 



PAC (Proxy AutoConfiguration) scripts — Originally created by Netscape, PACs are a 
way to avoid requiring proxy hosts and port numbers to be entered for every 
protocol. You need only enter the URL. A PAC can be created with the needed 
information and the local browser can be directed to the PAC for information 
about proxy hosts and port numbers. 

packet capture (PCAP) — Allows filtering on various attributes of the Ethernet frame 
to limit the amount of data collected. You can capture packets of Ethernet frames 
going into or leaving a ProxySG. 
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parent class (bandwidth gain) — A class with at least one child. The parent class must 
share its bandwidth with its child classes in proportion to the minimum/ 
maximum bandwidth values or priority levels. 

passive mode data connections (PASV) — Data connections initiated by an FTP client to 
an FTP server. 

pipelining — See object pipelining. 

policies — Groups of rules that let you manage Web access specific to the needs of 
an enterprise. Policies enhance ProxySG feature areas such as authentication and 
virus scanning, and let you control end-user Web access in your existing 
infrastructure. 

policy-based bypass list — Used in policy. Allows a bypass based on the properties of 
the client, unlike static and dynamic bypass lists, which allow traffic to bypass the 
appliance based on destination IP address. See also dynamic bypass. 

policy layer — A collection of rules created using Blue Coat CPL or with the VPM. 

pragma: no cache (PNC) — A metatag in the header of a request that requires the 
appliance to forward a request to the origin server. This allows clients to always 
obtain a fresh copy. 

proxy — Caches content, filters traffic, monitors Internet and intranet resource 
usage, blocks specific Internet and intranet resources for individuals or groups, 
and enhances the quality of Internet or intranet user experiences. 

A proxy can also serve as an intermediary between a Web client and a Web server 
and can require authentication to allow identity-based policy and logging for the 
client. 

The rules used to authenticate a client are based on the policies you create on the 
ProxySG, which can reference an existing security infrastructure — LDAP, 
RADIUS, IWA, and the like. 

Proxy Edition — SGOS 5 Proxy Edition. 

proxy service — The proxy service defines the ports, as well as other attributes, that 
are used by the proxies associated with the service. 

proxy service (default) — The default proxy service is a service that intercepts all 
traffic not otherwise intercepted by other listeners. It only has one listener whose 
action can be set to bypass or intercept. No new listeners can be added to the 
default proxy service, and the default listener and service cannot be deleted. 
Service attributes can be changed. 

ProxySG — A Blue Coat security and cache box that can help manage security and 
content on a network. 

public key certificate — An electronic document that encapsulates the public key of 
the certificate sender, identifies this sender, and aids the certificate receiver to 
verify the identity of the certificate sender. A certificate is often considered valid if 
it has been digitally signed by a well-known entity, which is called a Certificate 
Authority (such as VeriSign). 

public virtual IP (VIP) — Maps multiple servers to one IP address and then propagates 
that information to the public DNS servers. Typically, there is a public VIP known 
to the public Internet that routes the packets internally to the private VIP. This 
enables you to "hide" your servers from the Internet. 
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real-time streaming protocol (RTSP) — A standard method of transferring audio and 
video and other time-based media over Internet-technology based networks. The 
protocol is used to stream clips to any RTP-based client. 

reflect client IP attribute — Enables the sending of the client's IP address instead of the 
SG's IP address to the upstream server. If you are using an application delivery 
network (ADN), this setting is enforced on the concentrator proxy through the 

Configuration > App. Delivery Network > Tunneling tab. 

registration — An event that binds the appliance to an account, that is, it creates the 
Serial#, Account association. 

remote authentication dial-in user service (RADIUS) — Authenticates user identity via 
passwords for network access. 

Return to Sender (RTS) — A way of allowing outgoing TCP packets to use the same 
network interface on which the corresponding incoming TCP packets arrived. 
The destination Media Acess Control (MAC) address for the outgoing packets is 
the same as the source MAC address of the incoming packets. See also Media 
Access Control (MAC) address. 

reverse proxy — A proxy that acts as a front end to a small number of predefined 
servers, typically to improve performance. Many clients can use it to access the 
small number of predefined servers. 

routing information protocol (RIP) — Designed to select the fastest route to a 
destination. RIP support is built into ProxySG appliances. 

router hops — The number of jumps a packet takes when traversing the Internet. 
RTS — See Return to Sender. 



secure shell (SSH) — Also known as Secure Socket Shell. SSH is an interface and 
protocol that provides strong authentication and enables you to securely access a 
remote computer. Three utilities — login, ssh, and scp — comprise SSH. Security via 
SSH is accomplished using a digital certificate and password encryption. 
Remember that the Blue Coat ProxySG requires SSH1. A ProxySG supports a 
combined maximum of 16 Telnet and SSH sessions. 

serial console — A third-party device that can be connected to one or more Blue 
Coat appliances. Once connected, you can access and configure the appliance 
through the serial console, even when you cannot access the appliance directly. 

server certificate categories — The hostname in a server certificate can be categorized 
by BCWF or another content filtering vendor to fit into categories such as 
banking, finance, sports. 

server portals — Doorways that provide controlled access to a Web server or a 
collection of Web servers. You can configure Blue Coat appliances to be server 
portals by mapping a set of external URLs onto a set of internal URLs. 
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server-side transparency — The ability for the server to see client IP addresses, which 
enables accurate client-access records to be kept. When server-side transparency 
is enabled, the appliance retains client IP addresses for all port 80 traffic to and 
from the ProxySG. In this scheme, the client IP address is always revealed to the 
server. 

service attributes — Define the parameters, such as explicit or transparent, cipher 
suite, and certificate verification, that the ProxySG uses for a particular service. 

sibling class (bandwidth gain) — A bandwidth class with the same parent class as 
another class. 

signed system image — Cryptographically signed with a key known only to Blue 
Coat, and the signature is verified when the image is downloaded to the system. 

simple network management protocol (SNMP) — The standard operations and 
maintenance protocol for the Internet. It consists of a set of standards for network 
management, including an application layer protocol, a database schema, and a 
set of data objects. In SNMP, the available information is defined by management 
information bases (MIBs), which describe the structure of the management data. 

simulated live — Used in streaming. Defines playback of one or more video-on- 
demand files as a scheduled live event, which begins at a specified time. The 
content can be looped multiple times, or scheduled to start at multiple start times 
throughout the day. 

SmartReporter log type — A proprietary ELFF log type that is compatible with the 
SmartFilter SmartReporter tool. 

SOCKS — A proxy protocol for TCP/IP-based networking applications that allows 
users transparent access across the firewall. If you are using a SOCKS server for 
the primary or alternate forwarding gateway, you must specify the appliance's ID 
for the identification protocol used by the SOCKS gateway. The machine ID 
should be configured to be the same as the appliance's name. 

SOCKS proxy — A generic way to proxy TCP and UDP protocols. The ProxySG 
supports both SOCKSv4/ 4a and SOCKSv5; however, because of increased 
username and password authentication capabilities and compression support. 
Blue Coat recommends that you use SOCKS v5. 

splash page — The custom message page that displays the first time you start the 
client browser. 

split proxy — Employs co-operative processing at the branch and the core to 
implement functionality that is not possible in a standalone proxy. Examples of 
split proxies include: 

• Mapi Proxy 

• SSE Proxy 

SQUID-compatible format — A log type that was designed for cache statistics and is 
compatible with Blue Coat products. 

squid-native log format — The Squid-compatible format contains one line for each 
request. 

SSL authentication — Ensures that communication is with "trusted" sites only. 
Requires a certificate issued by a trusted third party (Certificate Authority). 
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SSL client — See SSL device profile. 

SSL device profile — Used to determine various SSL parameters for outgoing HTTPS 
connections. Specifically, its role is to: 

• Identify the SSL protocol version that the ProxySG uses in negotiations 
with origin servers. 

• Identify the cipher suites used. 

• Determine which certificate can be presented to origin servers by 
associating a keyring with the profile. 

SSL interception — Decrypting SSL connections. 

SSL proxy — A proxy that can be used for any SSL traffic (HTTPS or not), in either 
forward or reverse proxy mode. 

static route — A manually-configured route that specifies the transmission path a 
packet must follow, based on the packet's destination address. A static route 
specifies a transmission path to another network. 

statistics — Every Blue Coat appliance keeps statistics of the appliance hardware 
and the objects it stores. You can review the general summary, the volume, 
resources allocated, cache efficiency, cached contents, and custom URLs generated 
by the appliance for various kinds of logs. You can also check the event viewer for 
every event that occurred since the appliance booted. 

stream — A flow of a single type of data, measured in kilobits per second (Kbps). A 
stream could be the sound track to a music video, for example. 

SurfControl log type — A proprietary log type that is compatible with the SurfControl 
reporter tool. The SurfControl log format includes fully-qualified usernames 
when an NTLM realm provides authentication. The simple name is used for all 
other realm types. 

syslog — An event-monitoring scheme that is especially popular in Unix 
environments. Most clients using Syslog have multiple devices sending messages 
to a single Syslog daemon. This allows viewing a single chronological event log of 
all of the devices assigned to the Syslog daemon. The Syslog format is: "Date Time 
Hostname Event." 

system cache — The software cache on the appliance. When you clear the cache, all 
objects in the cache are set to expired. The objects are not immediately removed 
from memory or disk, but a subsequent request for any object requested is 
retrieved from the origin content server before it is served. 



TCP window size — The number of bytes that can be buffered before the sending host 
must wait for an acknowledgement from the receiving host. 

time-to-live (TTL) value — Used in any situation where an expiration time is needed. 
For example, you do not want authentication to last beyond the current session 
and also want a failed command to time out instead of hanging the box forever. 

traffic flow (bandwidth gain) — Also referred to as flow. A set of packets belonging to 
the same TCP/UDP connection that terminate at, originate at, or flow through the 
ProxySG. A single request from a client involves two separate connections. One of 
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them is from the client to the ProxySG, and the other is from the ProxySG to the 
OCS. Within each of these connections, traffic flows in two directions — in one 
direction, packets flow out of the ProxySG (outbound traffic), and in the other 
direction, packets flow into the ProxySG (inbound traffic). Connections can come 
from the client or the server. Thus, traffic can be classified into one of four types: 

• Server inbound 

• Server outbound 

• Client inbound 

• Client outbound 

These four traffic flows represent each of the four combinations described above. 
Each flow represents a single direction from a single connection. 

transmission control protocol (TCP) — TCP, when used in conjunction with IP (Internet 
Protocol) enables users to send data, in the form of message units called packets, 
between computers over the Internet. TCP is responsible for tracking and 
handling, and reassembly of the packets; IP is responsible for packet delivery. 

transparent proxy — A configuration in which traffic is redirected to the ProxySG 
without the knowledge of the client browser. No configuration is required on the 
browser, but network configuration, such as an L4 switch or a WCCP-compliant 
router, is required. 

trial period — Starting with the first boot, the trial period provides 60 days of free 
operation. All features are enabled during this time. 



unicast alias — Defines an name on the appliance for a streaming URL. When a 
client requests the alias content on the appliance, the appliance uses the URL 
specified in the unicast-alias command to request the content from the origin 
streaming server. 

universal time coordinates (UTC) — A ProxySG must know the current UTC time. By 
default, the appliance attempts to connect to a Network Time Protocol (NTP) 
server to acquire the UTC time. If the ProxySG cannot access any NTP servers, 
you must manually set the UTC time. 

URL filtering — See content filtering. 

URL rewrite rules — Rewrite the URLs of client requests to acquire the streaming 
content using the new URL. Lor example, when a client tries to access content on 
www.mycompany.com, the ProxySG is actually receiving the content from the 
server on 10.253.123.123. The client is unaware that mycompany.com is not 
serving the content; however, the ProxySG access logs indicate the actual server 
that provides the content. 



WCCP — Web Cache Communication Protocol. Allows you to establish redirection 
of the traffic that flows through routers. 
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Web FTP — Web FTP is used when a client connects in explicit mode using HTTP 
and accesses an ftp:/ / URL. The ProxySG translates the HTTP request into an 
FTP request for the OCS (if the content is not already cached), and then translates 
the FTP response with the file contents into an HTTP response for the client. 

Websense log type — A Blue Coat proprietary log type that is compatible with the 
Websense reporter tool. 



XML responder — HTTP XML service that runs on an external server. 

XML requestor — XML realm. 
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